tracker issue : CF-4200938

select a category, or use search below
(searches all categories and all time range)
Title:

Security Analyzer and dbtype="query" within cfquery

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): / ()

Created: 01/31/2018

Components: Security Analyzer

Versions: 2016,2018

Failure Type: Others

Found In Build/Fixed In Build: CFB-Alpha / 307666

Priority/Frequency: Normal /

Locale/System: ALL / Windows 10 64 bit

Vote Count: 0

Problem Description: 

The security analyzer displays errors when dbtype="query" is used within cfquery. Since cfquery is doing a query of queries and not interacting with a database, I do not think that these errors should show in the security analyzer results. Attached is an image that shows a cfquery and the sort and order parts will display as errors within the security analyzer. 

Steps to Reproduce: 
1. Use dbtype="query" via the cfquery tag and have code like pictured in the image
2. Run security analyzer
3. Results will display showing these as vulnerabilities

Actual Result: 

False vulnerabilities are displayed within the security analyzer.

Expected Result:: 

I would expect these false vulnerabilities to not display since the query is not interacting with a database.

Any Workarounds:

Attachments:

Comments:

Travis Walters<twalters84@hotmail.com> commented with Attachment(s) [mycode.png|ftp://sjshare.corp.adobe.com/PrereleaseBugFiles/Prerelease_Next/Production/31076828-CC55-4646-CB03-9401818A176E/CFB-4198270/1517427377/mycode.png]:User attached file(s) [Attachment Link|ftp://sjshare.corp.adobe.com/PrereleaseBugFiles/Prerelease_Next/Production/31076828-CC55-4646-CB03-9401818A176E/CFB-4198270/1517427377]
Comment by PRNext R.
29222 | January 31, 2018 07:36:17 PM GMT