tracker issue : CF-4126665

select a category, or use search below
(searches all categories and all time range)
Title:

Security Analyzer - addtoken and Secure Profile

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): David Epler / David Epler (David Epler)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v12 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win All

Vote Count: 1

The behavior for addtoken in <cflocation> changes if Secure Profile is enabled or not. As the security analyzer is currently implemented it has no knowledge if the code will be deployed to a server with Secure Profile enabled.

On a server with Secure Profile and no addtoken in <cflocation> the current rule is a false positive for that environment.

The security analyzer needs to either clarify the message regarding addtoken adding information regarding Secure Profile or there needs to be an option to run the security analyzer as if Secure Profile was enabled.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126665

External Customer Info:
External Company:  
External Customer Name: David Epler
External Customer Email: dcepler@dcepler.net
External Test Config: Friendly Name: Current MBP
System Type: Laptop
Brand: Apple 
Model: Mid-2012 15"
Processor Type: Intel Core i7
Processor Speed: 2GHz to 3GHz
Memory: 8GB to 16GB
Hard Drive Storage: 500GB-1TB
Peripherals: LCD Display
Peripherals: Web-Cam
Connectivity: Ethernet
Connectivity: Wireless 802.11 N
Interfaces: Firewire
Interfaces: USB 2.x
Media: CD
Media: CD-R
Media: CD-RW
Media: DVD
Media: DVD+R
Media: DVD-R
Media: SD Card
Primary Operating System: Mac OS X 10.9 (Mavericks)
Secondary Operating System: Windows 7 64
System Location: Other
Time Owned: 2 to 3 Years

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Date Closed newValue: 2015-09-21 23:25:52.0 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:25:52.0 action: updated fieldName: Closed By newValue: preethi oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:25:52.0 action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:25:52.0 action: updated fieldName: Reason newValue: Blank oldValue: Fixed oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:25:52.0 action: updated fieldName: Status newValue: Fixed oldValue: ToTest oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:25:52.0 action: updated fieldName: State newValue: Closed oldValue: Open oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:25:52.0 action: updated fieldName: Date Fixed newValue: 2015-09-21 04:47:55.0 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:47:55.0 action: updated fieldName: Fixed By newValue: uogra oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:47:55.0 action: updated fieldName: Owner newValue: preethi oldValue: uogra oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:47:55.0 action: updated fieldName: Status newValue: ToTest oldValue: ToFix oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:47:55.0 action: updated fieldName: Changelist newValue: 295599 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:47:55.0 action: updated fieldName: Reason newValue: Fixed oldValue: Investigate oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:47:55.0 action: updated fieldName: Fix By Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:48:19.0 action: updated fieldName: Fix By Product Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:48:19.0 action: updated fieldName: Reason newValue: Investigate oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:48:19.0 action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:48:19.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: sanniset oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:48:19.0 action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:48:19.0 action: updated fieldName: Owner newValue: uogra oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:48:19.0 action: added fieldName: Vote Type newValue: BETA oldValue: Blank oprid: prerelease recordName: AD_DEFECT_VOTE timpestamp: 2015-07-27 20:13:25.0
Comment by CFwatson U.
3553 | March 09, 2016 04:29:56 AM GMT
I agree - moreover I think the security analyzer needs options, and they need to be project specific.
Vote by External U.
3555 | March 09, 2016 04:29:59 AM GMT
Added By:preethi Note Added: Fix will be available in the next release. Thanks! Date Added :2015-09-22 06:28:57.0 Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-26 16:11:48.0
Comment by CFwatson U.
3554 | March 09, 2016 04:30:15 AM GMT