Fix quickstart

This quickstart steps you through using the Veracode CLI to fix a security flaw with Veracode Fix. You use Fix to generate suggested fixes and apply a fix to a flaw in a provided demo application.

To use Fix in VS Code, see Veracode Scan in VS Code.

To fix a flaw with Veracode Fix, complete the following tasks:

• Meet the prerequisites.
• Sign in to the Veracode Platform.
• Use the Veracode Platform to generate API credentials.
• Set up the Veracode CLI and demo application.
• Fix a flaw in a demo application.
• Optionally, confirm the flaw is fixed.

Prerequisites

To complete this quickstart, you must meet the following prerequisites:

• A Veracode user account in the Commercial Region. To view Fix results, your account must have the Submitter role. Fix currently does not support accounts in the European Region or the US Federal Region. If you need an account, contact the Veracode Administrator for your organization.
• To run Fix, ensure your system has Git installed.
• The Veracode CLI requires access to analysiscenter.veracode.com and api.veracode.com, which are both in the Commercial Region. Contact your IT team to ensure both domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
• To download the demo application, ensure you can access GitHub.

Sign in to the Veracode Platform

To sign in to the Veracode Platform, use one of the following methods.

• If you have a new Veracode account in the Commercial Region, you received a welcome email that provides a link for activating your account in the Veracode Platform. If you did not receive the welcome email, contact your Veracode Administrator.
• If you have an active Veracode account, you can sign in to the Veracode Platform using the Commercial Region domain: https://analysiscenter.veracode.com/. If your organization uses a Single Sign-On (SSO) portal such as Okta, you can also access the Veracode Platform with SSO.

Generate API credentials

To access and use the Veracode CLI, you must have API credentials. You provide these credentials after you install the Veracode CLI.

1. In the Veracode Platform, from the user account dropdown menu, select API Credentials.
2. Select Generate API Credentials.
3. Copy the ID and secret key to a secure place.

Though not required for this quickstart, Veracode recommends that you store your credentials in an API credentials file.

Set up the Veracode CLI and demo application

Install the Veracode CLI and clone the demo application verademo in the same folder. By default, the Veracode CLI expects any dependency files to be in the same folder as the CLI executable.

1. Open a command prompt.

2. Create the folder /try-fix. On macOS, you might need to create the folder under ~/try-fix.

3. Change to the folder /try-fix.

4. Install the Veracode CLI and add your API credentials.

5. Clone the demo application verademo:

   git clone https://github.com/veracode/verademo

   verademo is a Java web application that meets Veracode compilation and packaging requirements and intentionally includes flaws. verademo includes the scan results file results.json, which lists the discovered flaws after running the command veracode static scan on verademo.

Fix a flaw

Use Veracode Fix to fix a flaw in verademo.

1. At a command prompt, ensure you are in the folder /try-fix.

2. To run Fix on IgnoreCommand.java using the included results.json file, run:

   Windows

   veracode fix --results verademo\docs\scan_results\results.json verademo\app\src\main\java\com\veracode\verademo\commands\IgnoreCommand.java

   macOS or Linux

   ./veracode fix --results verademo/docs/scan_results/results.json verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java

   Fix correlates the flaws in results.json to the lines of code in IgnoreCommand.java and returns a list of issues. Each issue identifies the Common Weakness Enumeration (CWE), which indicates the flaw type and severity, and the code line number that contains the flaw. An issue number is a random, arbitrary identifier for a flaw. You only need to be concerned with the CWE ID.

   Issues in source file IgnoreCommand.java:
        1: CWEId 89
                     Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
                     on line 40 in function com.veracode.verademo.commands.IgnoreCommand.execute
        2: CWEId 89
                     Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
                     on line 47 in function com.veracode.verademo.commands.IgnoreCommand.execute
        3: CWEId 117
                     Improper Output Neutralization for Logs
                     on line 39 in function com.veracode.verademo.commands.IgnoreCommand.execute
        4: CWEId 117
                     Improper Output Neutralization for Logs
                     on line 46 in function com.veracode.verademo.commands.IgnoreCommand.execute
        5: CWEId 404
                     Improper Resource Shutdown or Release
                     on line 38 in function com.veracode.verademo.commands.IgnoreCommand.execute
        6: CWEId 404
                     Improper Resource Shutdown or Release
                     on line 40 in function com.veracode.verademo.commands.IgnoreCommand.execute
   Enter issue number:

3. To fix the first issue, enter issue number 1, then press Enter.

   Fix returns two fixes you can apply to patch line 40 in IgnoreCommand.java. The fixes are ranked, with FIX 1 as the top Veracode recommendation that you typically want to apply.

   Requesting fixes...
   Waiting for results...
   ...
   
   --- FIX 1 -------------------------------------------------------------
   
   --- verademo\app\src\main\java\com\veracode\verademo\commands\IgnoreCommand.java
   +++ verademo\app\src\main\java\com\veracode\verademo\commands\IgnoreCommand.java
   @@ -34,10 +34,12 @@
                           action.setString(2, username);
                           action.execute();
   
   -                       sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
   -                       Statement sqlStatement = connect.createStatement();
   +                       sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
                           logger.info(sqlQuery);
   -                       ResultSet result = sqlStatement.executeQuery(sqlQuery);
   +                       PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
   +               sqlStatement.setString(1, blabberUsername);
   +
   +                       ResultSet result = sqlStatement.executeQuery();
                           result.next();
   
                           /* START EXAMPLE VULNERABILITY */
   
   
   --- FIX 2 -------------------------------------------------------------
   
   --- verademo\app\src\main\java\com\veracode\verademo\commands\IgnoreCommand.java
   +++ verademo\app\src\main\java\com\veracode\verademo\commands\IgnoreCommand.java
   @@ -35,7 +35,7 @@
                           action.execute();
   
                           sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
   -                       Statement sqlStatement = connect.createStatement();
   +                       PreparedStatement sqlStatement = connect.prepareStatement();
                           logger.info(sqlQuery);
                           ResultSet result = sqlStatement.executeQuery(sqlQuery);
                           result.next();
   
   Select a fix to apply? [1-2]:

4. To apply FIX 1, enter 1, then press Enter.

   You are done! Veracode Fix has patched the code on line 40 in IgnoreCommand.java and you have remediated a CWE-89 flaw.

Confirm the fix

Optionally, to confirm the fix, you can build verademo as a WAR file, scan the WAR file with the command veracode static scan, and review the results.

1. Change to the folder /try-fix/verademo.

2. To build verademo and package it as verademo.war, run:

   Windows

    mvn -f app\pom.xml clean package

   macOS or Linux

   mvn -f app/pom.xml clean package

3. To scan verademo.war, run:

   Windows

   veracode static scan app\target\verademo.war

   macOS or Linux

   ./veracode static scan app/target/verademo.war

4. Review the scan results. In the list of High severity issues, which shows all CWE-89 flaws, including the affected source file followed by the code line number, com/veracode/verademo/commands/IgnoreCommand:40 is not listed.

   ===================
   Analyzed 2 modules.
   ===================
   verademo.war
   JS files within verademo.war
   
   ====================
   Analyzed 172 issues.
   ====================
   -------------------------------------
   Found 2 issues of Very High severity.
   -------------------------------------
   CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:53
   CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:83
   ---------------------------------
   Found 13 issues of High severity.
   ---------------------------------
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:165
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:249
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:310
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:374
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:479
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:490
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:467
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:42
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:49
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:53
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:50
   -----------------------------------

Next steps

• Learn more about Veracode Fix.
• Learn about Veracode and the CWE.
• Learn more about the Veracode CLI.