IBM Support

PI45160: IBM SECURITY APPSCAN SOURCE FOR ANALYSIS 9.0.2 CROSS SITESCRIPTING.REFLECTED : FALSE POSITIVE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Security AppScan Source for Analysis 9.0.2  flags a
CrossSiteScripting.Reflected vulnerability against the scan rule
JSP 2.0 <c:forEach tag when used with Struts ActionForms.
This occurs when the JSP 2.0 ActionForms Property scan rule is
enabled in the scan by the inclusion of the Java scan rule set
('Properties' of project).
As the rule does not take into consideration the <c:forEach tag,
false positives may result

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* Any users using PBSA rules to scan their Java/JSP projects   *
* using AppScan Source.                                        *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* If the code that is being scanned contains a word such as    *
* forEach tag, it will be reported as False Positive.          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  • We updated our PBSA rules to consider this tag as well while
looking for vulnerabilities and starting 9.0.3 release this will
no longer reported as a False Positive.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI45160
    • 

  • Reported component name
    SEC APPSCAN SRC
    • 

  • Reported component ID
    5724Z3400
    • 

  • Reported release
    902
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-07-17
    • 

  • Closed date
    2015-11-17
    • 

  • Last modified date
    2015-12-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SEC APPSCAN SRC
    • 

  • Fixed component ID
    5724Z3400
    • 



Applicable component levels


    

  • R901  PSY
       UP
    • 

  • R902  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSS9LM","label":"IBM Security AppScan Source for Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"902","Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            21 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback