[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #TXB-774930]: LDM Fortify Security Scan

This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.

  • Subject: [LDM #TXB-774930]: LDM Fortify Security Scan
  • Date: Tue, 02 Apr 2013 14:21:06 -0600
Leo,

> Attached is the most detailed report available with Fortify (Developer 
> Workbook).  Our Tools team also select all options for the Executive Summary 
> report.

I'll have to think about the reported issues with the libxml2 subpackage 
because I'm not the developer of that package.

Do you already have an XML2 library on your systems (e.g., /usr/lib/libxml2.a, 
/usr/lib/libxml2.so)? If so, would you be willing to use it?

The following issues are with the LDM code proper:

backend.c, line 331 (Dangerous Function: strcpy()): This use of strcpy() in 
this instance is safe by inspection.
backend.c: line 1007 (Double Free): Fixed in the next release.
conftest.c, line 89 (Process Control): The file "conftest.c" is a feature 
test-file created during build-time by the configure(1) script. It may safely 
be ignored.
backend.c, line 1007 (Use After Free): Fixed in the next release.

The report says that it found 259 issues, but only 82 issues were detailed. Why 
the discrepancy?

> Regards,
> 
> //SIGNED//
> Leo R. Rivard, Contractor, AFWA/SEMS
> SEMS II Database Architect
> Northrop Grumman Information Systems
> email: address@hidden
> COMM: 402-232-0271 / DSN: 272-0271
> Alternate Email: address@hidden

Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: TXB-774930
Department: Support LDM
Priority: Normal
Status: Closed