We have chosen Veracode to perform security assessment of our JavaEE code. We have been performing white-box security testing using Veracode. As I am quite new to Veracode, I was surprised to find no results for our imperfect jsp files. All the results were around a few servelets. Also we did not find any results in our Manager classes and Service Classes (backend code). Please guide. What am I missing here?
Help get this topic noticed by sharing it on Twitter, Facebook, or email.
EMPLOYEE0Hi and thanks for your feedback. I can offer you some general information here and provide suggestions about how we can dig into your specific application.
First, Veracode does have support for JSPs. We generally precompile the JSPs upon your submission so that we can ensure we have all the necessary supporting pieces, then we analyze the resulting bytecode alongside the rest of your compiled Java code.
There are a few things that can go wrong when a customer uploads JSPs:
- JSPs cannot be compiled. This happens when either a supporting library required by the JSP is not present in the upload, or the JSP is in an uncompilable state. We report back any JSP compilation failures in the prescan report, so if you see these it's generally a sign that we won't be able to analyze the content of the JSPs. If you see these warnings, check to see if you are missing a class dependency and see if you can upload it so we can get a good compiled version of your JSP.
- There's a packaging issue. While we can handle a few different ways to package your application, the Veracode service gets best results if you upload a web application as a properly packaged WAR file, including the web.xml. If you upload the application packaged in a different way we may not be able to put the JSPs in their proper context for analysis. This is an area we're working on, because we realize that not every Java application server requires WARs, and you may be deploying using a different model.
- We don't support one of your frameworks. Because Veracode does a full data- and control-flow analysis of the application, we need to have an understanding of everything that might impact the control flow, including frameworks. We typically try to call out unsupported frameworks at upload time as well; obviously that's not something you'll be able to address with a quick fix, but we try to be as transparent as we can about what we can analyze and what we can't.
All of that aside, we may simply have an issue in our engine when it comes to your application. The best thing to do is to schedule a readout with our service team so we can look at your results with you and offer you advice for your specific application. Depending on your subscription, you may have a "Request a Readout" button directly in the UI; if you don't, please contact us at support at veracode.com and we'll see what we can do to answer your concerns.
Many thanks for your detailed response. There is a packaging issue with our application. Our code is not deployed in a WAR structure, instead, it is packaged in a structure specific to our Content Management software (Adobe CQ5).
Do you suggest a workaround for this issue?
EMPLOYEE0The general guidance I can offer you is to place the application code in a WAR structure (zip file with WAR name, containing a web-inf directory which contains a web.xml file).
Unfortunately I can't provide more specific guidance without seeing your app. However, if you contact Veracode support we can escalate this to an engineer who can review your app with you and offer more specific assistance. The contact is email@example.com.