Hello,one of our customer requested a Security Scan of our Software using the VeraCode Platform. (https://www.veracode.com/) ...
We uploaded all of our binaries and started a scan. In this version of our Software, we use Infragistics 15.1 for our UI Components...
The Security Scan resulted in a few security issues, and some of them were located in the Infragistics Binaries:1.) Infragistics.Win.UltraWinDock.Menus.UltraContextMenuManager - Attack Vector : user32_dll.SetWindowsHookExA() Refereneces : http://cwe.mitre.org/data/definitions/506.html2.) Infragistics.Win.KeyboardHookManager - Attack Vector : user32_dll.SetWindowsHookExW
Refereneces : http://cwe.mitre.org/data/definitions/506.html
3.) Infragistics.Win.DropDownManager.ActivationChangeHookManager - Attack Vector : user32_dll.SetWindowsHookExW
Since these issues are flagged as high risk, our customer will definitely complain about them, and we cannot get rid of the Infragistics references...Is there a way to fix this problem on our side? Are you aware of these issues?Thank you for your help...
This issue comes up from time to time, and it is normally okay to leave it alone once we've verified that the warning is expected. In order to determine that, we'll need to know which IG DLLs reported the flaw. Veracode should provide a call stack that we can use to determine the code path that was followed to invoke those SetWindowsHook calls. Please provide this so we can investigate.
If you would prefer not to provide this information on the public forum, please let me know and I will open a private case for you.
I must show my appreciation to you just for bailing me out of this type of setting. Right after surfing through the internet
We are also running into concerns from an internal audit over the Veracode scan results with our use of the Infragistics Grid.
I do not wish to re-implement so your feedback is welcome on how to resolve.
Can we receive the source code and make it a part of the scan package.
I attached some examples.
Infragistics4.Documents.Excel.v14.2.dll void Save(string, WorkbookSaveOptions) 46% 9 - 21 Infragistics4.Documents.IO.v14.2.dll WordDocumentWriter Create(string) 94%33 - 17 Infragistics4.Docum ents.Excel.v14.2.dll Workbook LoadHelper(string,WorkbookLoadOptions) 22%99 - 16 Infragistics4.Documents.Excel.v14.2.dllWorkbookFormatGetWorkbookFormat(System.IO.Stream,string, bool, WorkbookOptionsBase) 31%
No problem. If you go to the My Key's and Downloads page: https://www.infragistics.com/my-account/keys-and-downloads you can download the source code for any version you have a valid key for. We have worked with VeraCode before, and any issue we would be glad to review the code with them. We have had multiple false flaw flags in the past. They flag lines of code that, could be used maliciously, but do have valid uses as well. For example, for WindowsForms controls, we often need to listen the windows message pump, via getmsg, so that the control has the proper behavior in all scenarios. But this could be used maliciously. So that flag the code for review.
Let me know if this helps,
Michael GermannSoftware Development Team LeadInfragistics