Skip to main content

Fix quickstart

This quickstart steps you through using the Veracode CLI to fix a security flaw with Veracode Fix. You use Fix to generate suggested fixes and apply a fix to a flaw in a provided demo application.

To fix a flaw with Veracode Fix, complete the following tasks:

  • Meet the prerequisites.
  • Sign in to the Veracode Platform.
  • Use the Veracode Platform to generate API credentials.
  • Set up the Veracode CLI and demo application.
  • Fix a flaw in a demo application.
  • Optionally, confirm the flaw is fixed.

Prerequisites

To complete this quickstart, you must meet the following prerequisites:

  • A Veracode user account in the Commercial Region. To view Fix results, your account must have the Submitter role. Fix currently does not support accounts in the European Region or the US Federal Region. If you need an account, contact the Veracode Administrator for your organization.
  • To run Fix, ensure your system has Git installed.
  • The Veracode CLI requires access to analysiscenter.veracode.com and api.veracode.com, which are both in the Commercial Region. Contact your IT team to ensure both domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
  • To download the demo application, ensure you can access GitHub.

Sign in to the Veracode Platform

To sign in to the Veracode Platform, use one of the following methods.

  • If you have a new Veracode account in the Commercial Region, you received a welcome email that provides a link for activating your account in the Veracode Platform. If you did not receive the welcome email, contact your Veracode Administrator.
  • If you have an active Veracode account, you can sign in to the Veracode Platform using the Commercial Region domain: https://analysiscenter.veracode.com/. If your organization uses a Single Sign-On (SSO) portal such as Okta, you can also access the Veracode Platform with SSO.

Generate API credentials

To access and use the Veracode CLI, you must have API credentials. You provide these credentials after you install the Veracode CLI.

  1. In the Veracode Platform, from the user account dropdown menu, select API Credentials.
  2. Select Generate API Credentials.
  3. Copy the ID and secret key to a secure place.

Though not required for this quickstart, Veracode recommends that you store your credentials in an API credentials file.

Set up the Veracode CLI and demo application

Install the Veracode CLI and clone the demo application verademo in the same folder. By default, the Veracode CLI expects any dependency files to be in the same folder as the CLI executable.

  1. Open a command prompt.

  2. Create the folder /try-fix. On macOS, you might need to create the folder under ~/try-fix.

  3. Change to the folder /try-fix.

  4. Install the Veracode CLI and add your API credentials.

  5. Clone the demo application verademo:

    git clone https://github.com/veracode/verademo

    verademo is a Java web application that meets Veracode compilation and packaging requirements and intentionally includes flaws. verademo includes the scan results file results.json, which lists the discovered flaws after running the command veracode static scan on verademo.

Fix a flaw

Use Veracode Fix to fix a flaw in verademo.

  1. At a command prompt, ensure you are in the folder /try-fix.

  2. To run Fix on IgnoreCommand.java using the included results.json file, run:

    veracode fix --results verademo\docs\scan_results\results.json verademo\app\src\main\java\com\veracode\verademo\commands\IgnoreCommand.java

    Fix correlates the flaws in results.json to the lines of code in IgnoreCommand.java and returns a list of issues. Each issue identifies the Common Weakness Enumeration (CWE), which indicates the flaw type and severity, and the code line number that contains the flaw. An issue ID is a random, arbitrary identifier for a flaw. You only need to be concerned with the CWE ID.

    Issues in source file IgnoreCommand.java:
    IssueID 1012: CWEId 89
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    on line 40 in function com.veracode.verademo.commands.IgnoreCommand.execute
    IssueID 1007: CWEId 89
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    on line 47 in function com.veracode.verademo.commands.IgnoreCommand.execute
    IssueID 1153: CWEId 117
    Improper Output Neutralization for Logs
    on line 39 in function com.veracode.verademo.commands.IgnoreCommand.execute
    IssueID 1146: CWEId 117
    Improper Output Neutralization for Logs
    on line 46 in function com.veracode.verademo.commands.IgnoreCommand.execute
    IssueID 1053: CWEId 404
    Improper Resource Shutdown or Release
    on line 38 in function com.veracode.verademo.commands.IgnoreCommand.execute
    IssueID 1019: CWEId 404
    Improper Resource Shutdown or Release
    on line 40 in function com.veracode.verademo.commands.IgnoreCommand.execute
    Enter issue ID:
  3. To address the first issue, enter issue ID 1012 and press Enter.

    Fix returns two fixes you can apply to patch line 40 in IgnoreCommand.java. The fixes are ranked, with FIX 1 as the top Veracode recommendation that you typically want to apply.

    Requesting fixes...
    Waiting for results...
    .....

    --- FIX 1 -------------------------------------------------------------

    --- verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
    +++ verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
    @@ -8,6 +8,7 @@

    import org.apache.log4j.LogManager;
    import org.apache.log4j.Logger;
    +import java.sql.PreparedStatement;

    public class IgnoreCommand implements BlabberCommand {
    private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
    @@ -34,10 +35,12 @@
    action.setString(2, username);
    action.execute();

    - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
    - Statement sqlStatement = connect.createStatement();
    + sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
    logger.info(sqlQuery);
    - ResultSet result = sqlStatement.executeQuery(sqlQuery);
    + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
    + sqlStatement.setString(1, blabberUsername);
    +
    + ResultSet result = sqlStatement.executeQuery();
    result.next();

    /* START EXAMPLE VULNERABILITY */


    --- FIX 2 -------------------------------------------------------------

    --- verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
    +++ verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
    @@ -35,7 +35,7 @@
    action.execute();

    sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
    - Statement sqlStatement = connect.createStatement();
    + PreparedStatement sqlStatement = connect.prepareStatement();
    logger.info(sqlQuery);
    ResultSet result = sqlStatement.executeQuery(sqlQuery);
    result.next();

    Enter the fix to apply. [1-2]:
  4. To apply FIX 1, enter 1 and press Enter.

    You are done! Veracode Fix has patched the code on line 40 in IgnoreCommand.java and you have remediated a CWE-89 flaw.

Confirm the fix

Optionally, to confirm the fix, you can build verademo as a WAR file, scan the WAR file with the command veracode static scan, and review the results.

  1. Change to the folder /try-fix/verademo.

  2. To build verademo and package it as verademo.war, run:

     mvn -f app\pom.xml clean package
  3. To scan verademo.war, run:

    veracode static scan app\target\verademo.war -esd true

    -esd true adds the stack dump data for each flaw to the scan results in results.json. This parameter is optional, but you must include it if you want to use the results with Fix.

  4. Review the scan results. In the list of High severity issues, which shows all CWE-89 flaws, including the affected source file followed by the code line number, com/veracode/verademo/commands/IgnoreCommand:40 is not listed.

    ===================
    Analyzed 2 modules.
    ===================
    verademo.war
    JS files within verademo.war

    ====================
    Analyzed 172 issues.
    ====================
    -------------------------------------
    Found 2 issues of Very High severity.
    -------------------------------------
    CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:53
    CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:83
    ---------------------------------
    Found 13 issues of High severity.
    ---------------------------------
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:165
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:249
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:310
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:374
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:479
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:490
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:467
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:42
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:49
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:53
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:50
    -----------------------------------

Next steps