Java Test Suite for Source Code Analyzer - weakness suppresion Test suite #65
DownloadDescription
This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RO-2 specified in "Source Code Security Analysis Tool Functional Specification"
Displaying all 10 test cases
-
The code tries to execute a system command, read from the input buffer, without any validation.
-
The code creates a file from data read, without filtering.
-
Authorization is given by an hard-coded password, which is built into the code. So it can be read from a copy, be changed easily, and every copy of the code uses the same one.
-
The code checks the state of a file to use but its state can change while the thread function sleep is running. So results are invalid.
-
This test illustrates the potential to create entry points in the application (and possibly expose state information) that would otherwise not be available to a general user. This is possible through evaluation of user input for a \"debug\" command.
-
This test is an example of a \"potential\" null pointer dereference. If a system variable \"java.class.path\" is undefined, then any attempt to use its value will result in a null pointer dereference.
-
This test illustrates an \"unchecked error condition\" weakness, where an exception is \"caught\", but no action is taken within the \"catch\" clause.
-
This is an example of what could be a critical resource lock weakness. A temporary file is locked by the application, but not released. If the file is used by other processes could be delayed or denied, creating a potential \"denial of service\".
-
This servlet implements a Cross-Site Scripting vulnerability (XSS): the data provided by the client in the field "data" is written as is, without any filtering, to the output document.
-
This servlet implements an SQL injection vulnerability: an unsanitized SQL request is sent to the database.