New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No detection of XSS vulnerabilities in JAX-RS methods #268
Comments
In which format is the entity returned by default? |
It returns it in JSON format by default.
|
This is in Dropwizard, so it is using Jersey 2 for the JAX-RS and Jackson for all the JSON serialization/deserialization. |
Are you sure this is vulnerable to XSS? |
Well, I am not honestly, as I am not an expert on the finer aspects of XSS. So in your opinion this is a false positive? |
@jacek99 Yes it look like a false positive. |
Please do minimal testing and provide a POC next time. (No offense. Good luck with the triage!) |
Thank you for your time, much appreciated |
@jacek99 I am seeing similar issue with a commercial tool. Were you able to find the fix ? |
@siva-subramani This is a false positive. |
We are comparing SonarQube with Find Bugs (and the Find Security Bugs rules) against a commercial competitor.
The commercial competitor flags all typical JAX-RS REST methods with user input as potential XSS vulnerabilities, e,.g.:
with errors like
None of the Find Security Bugs rules flagged any of the JAX-RS resources with similar vulnerabilities.
Should some JAX-RS specific rules be added?
P.S. ALL the rules classified as "vulnerabilities" have been activated in SonarQube and we are running with the quality profile of "Find Bugs Security Audit".
The text was updated successfully, but these errors were encountered: