Fortify complains about external Maven schemas pom.xml

Question

Fortify complains about external Maven schemas pom.xml

Based on the Fortify report (a static code analyzer from HP), it is clear that the following pom.xml vulnerabilities are as follows:

    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
...

Insofar as

Misconfiguration Build: External Maven Dependency Repository . This maven build script relies on external sources that could allow an attacker to inject malicious code into the final product or take control of the build machine.

This is a somewhat false positive detection, but according to my paranoid security policies, I cannot suppress it. So now the pom.xml looks like this:

<project>
...

It still builds / compiles correctly. The IDE still recognizes the file as a valid Maven Object Model file. Nothing bad happened.

I was wondering if there is a possible scenario where this modification could cause some real problems? For example, some well-known tool or parser does not recognize this as a valid Maven project file. Thank.

+3

java maven fortify

Mikhail Kholodkov June 13. 17 at 23:23

source to share

1 answer

AkD · Answer 1 · 2017-07-24T18:28:46+0000

I don't think they resolved the issue that was filed, since I don't see the commit. For me, even when I removed the <project> it still complains about the same problem as in the question. Note. I am using version 6.21.0005 with audit tooling, Fortify Static Code Analyzer software.

Fortify complains about external Maven schemas pom.xml

More articles: