This feed does not validate.
<span>Veracode Scan for VS Code: Now with Veracode Fix</span>
<div class="field field--name-body field--type-text-with-summary ...
^
... available for Linux, Windows, and MacOS. </p>
^
In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:og="http://ogp.me/ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:schema="http://schema.org/" xmlns:sioc="http://rdfs.org/sioc/ns#" xmlns:sioct="http://rdfs.org/sioc/types#" xmlns:skos="http://www.w3.org/2004/02/skos/core#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#">
<channel>
<title>Veracode</title>
<link>https://www.veracode.com/</link>
<description></description>
<language>en</language>
<pubDate>Thu, 28 Mar 2024 10:05:47 -0400</pubDate>
<item>
<title>Veracode Scan for VS Code: Now with Veracode Fix</title>
<link>https://www.veracode.com/blog/customer-news/veracode-scan-vs-code-now-veracode-fix</link>
<description>
<span>Veracode Scan for VS Code: Now with Veracode Fix</span>
<div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Veracode is pleased to announce the availability of Veracode Fix capability in Veracode Scan for VS Code. Now developers can discover and remediate security flaws using Veracode’s Generative AI-powered tools directly from their Integrated Development Environment (IDE).</p>
<p>According to the <a href="//www.veracode.com/state-software-security-2024-report" style="color:#0563c1; text-decoration:underline">Veracode State of Software Security</a>, 45.9% of organizations have critical security debt. The fact that this data comes from organizations who are actively testing their software with a high-quality solution implies that it’s not finding flaws that is the problem: it’s fixing them.</p>
<p>Last year we introduced <a href="//www.veracode.com/fix">Veracode Fix </a>– an AI assistant that can take the results of a Veracode Static scan and allow developers to apply suggested fixes directly to their code. Veracode Fix cuts the time to research and implement a fix for a given finding to minutes, while still keeping the developer in control. Fix was implemented as part of the Veracode CLI utility, which is available for Linux, Windows, and MacOS. </p>
<p>A little more recently, we introduced a new <a href="//www.veracode.com/blog/customer-news/announcing-veracode-scan-unified-sast-and-sca-ide-plugin">combined plugin for VS Code</a> that performed both Static analysis and Software Composition Analysis (SCA).</p>
<p>With this new release of our Veracode Scan <a href="https://docs.veracode.com/r/Veracode_Scan_for_VS_Code" style="color:#0563c1; text-decoration:underline">plugin for VS Code</a>, developers can use the power of Veracode to discover and remediate flaws directly in the IDE. Starting with VS Code, the Veracode plugin can take the results of Static scans and offer a choice of solutions for developers to select to remediate a discovered flaw.</p>
<h3 class="text-align-center"> </h3>
<h2>How it works</h2>
<p>To begin scanning, simply click the 'scan' button in the Veracode Plugin. This will first build and package the code for analysis, as scanning deployment assets makes for more accurate results, than scanning uncompiled source code. Next, the code and its dependencies are analyzed by the Veracode Platform.</p>
<p><img alt="Veracode Scan for VS Code: Start Scanning" data-entity-type="file" data-entity-uuid="1d6c5976-fdb4-46db-913f-52ddccedddef" src="//www.veracode.com/sites/default/files/inline-images/Screenshot%202024-02-27%20at%2012.11.01.png" /></p>
<p>Once the results are returned, select a flaw, and Veracode Fix will generate one or more remediations you can choose from, and then apply directly to the source file. The whole operation is performed within the VS Code IDE and saves time drives consistency, and helps cut the creation of security debt by constantly exposing developers to best practice solutions.</p>
<p><img alt="Veracode Scan for VS Code: Apply a fix" data-entity-type="file" data-entity-uuid="376c0c47-e45e-4f36-ae66-72ebc76a6142" src="//www.veracode.com/sites/default/files/inline-images/Screenshot%202024-02-27%20at%2012.15.16.png" /></p>
<p>Giving developers the ability to find and fix security flaws in the IDE not only puts the tools in the right place, it also shifts security flaw mitigation to the right <i>time</i> in the SDLC. Fixing flaws early and easily improves throughput, amplifies feedback, and reduces failed builds in the CI/CD pipeline. Developers get results and remediations before code is committed, meaning that later security scans are less likely to find build-breaking flaws that slow down delivery. Scanning and remediating early cuts the time and effort involved in triaging, prioritizing, assigning, and solving a flaw, significantly reducing an organization’s overall Mean Time to Remediate (MTTR).</p>
<p>Another benefit developers will appreciate is the reduced cognitive load of addressing flaws in code they are actively working on, rather than having to address issues days or weeks, and hundreds of new lines of code later. Security teams will also benefit from early scans. Using the Veracode plugin, results generated by the IDE stay in the IDE – decreasing the signal-to-noise ratio and making uncaught flaws easier to identify.</p>
<h2>Supported Languages and Environments</h2>
<p>Currently, the Veracode Scan plugin is available for VS code (1.78.2 or later) and supports a wide range of languages for <a href="https://docs.veracode.com/r/Pipeline_Scan_Supported_Languages" style="color:#0563c1; text-decoration:underline">Static</a> and <a href="https://docs.veracode.com/r/c_sc_agent_languages" style="color:#0563c1; text-decoration:underline">SCA</a> scans. Veracode Fix support is available for Java, JavaScript, PHP, and Python. Support for additional IDEs and languages is actively in development.</p>
<p>The auto-packaging feature works with the following package managers (interpreted languages don’t require any packaging steps):</p>
<ul>
<li>Java: Maven or Gradle </li>
<li>JavaScript: NPM or Yarn</li>
<li>Python (pip)</li>
</ul>
<p>Other build systems can be scanned but they will require a <a href="https://docs.veracode.com/r/Veracode_Scan_for_VS_Code" style="color:#0563c1; text-decoration:underline">manual packaging</a> step. The initial version of the plugin will allow one code fix per source file between rescans, but multiple source files can be remediated without rescanning.</p>
<h2>In conclusion</h2>
<p>Since its release, Veracode Fix has helped many Veracode customers remediate security flaws faster and begin to eat away at their risky security debt. The release of Veracode Fix in VS Code is set to improve the experience for developers by combining highly accurate scan results and easy remediation built into the tools they use every day.</p>
<p class="text-align-center">We’d encourage you to <a href="https://info.veracode.com/veracode-solution-demo.html" style="color:#0563c1; text-decoration:underline">request a personalized demo</a> or, <a href="//www.veracode.com/contact-us" style="color:#0563c1; text-decoration:underline">contact</a> your friendly neighborhood <s>spiderman</s> Veracode team for more information.</p>
</div>
<span><span lang="" about="/users/rhaynes" typeof="schema:Person" property="schema:name" datatype="">rhaynes</span></span>
<span><time datetime="2024-02-27T14:58:43-05:00" title="Tuesday, February 27, 2024 - 14:58">Tue, 02/27/2024 - 14:58</time>
</span>
<div class="field field--name-field-featured-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="/sites/default/files/default_images/default_fullsize_image_1600x800_Generic_2.png" width="1396" height="550" alt="" typeof="foaf:Image" />
</div>
</description>
<pubDate>Tue, 27 Feb 2024 19:58:43 +0000</pubDate>
<dc:creator>rhaynes</dc:creator>
<guid isPermaLink="false">64931 at https://www.veracode.com</guid>
</item>
<item>
<title>Veracode Customers Shielded from NVD Disruptions</title>
<link>https://www.veracode.com/blog/research/veracode-customers-shielded-nvd-disruptions</link>
<description>
<span>Veracode Customers Shielded from NVD Disruptions</span>
<div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p paraeid="{db8e0787-4725-49be-96ac-f2538eee8e19}{178}" paraid="1418970104">The US National Institute of Standards and Technology (NIST) has almost completely stopped analyzing new vulnerabilities (CVEs) listed in its National Vulnerability Database (NVD). Through the first six weeks of 2024, NIST analyzed over 3,500 CVEs with only 34 CVEs awaiting analysis.<sup>1</sup> Since February 13th, however, nearly half (48%) of the 7,200 CVEs received this year by the NVD are still awaiting analysis.<sup>2</sup> The number of CVEs analyzed has dropped nearly 80% to less than 750 CVEs analyzed. Other than a vague reference to <a href="https://nvd.nist.gov/general/news/nvd-program-transition-announcement" rel="noreferrer noopener" target="_blank">establishing a consortium</a>, the reasons behind this disruption remain a mystery. </p>
<p paraeid="{73a3895e-0477-4353-9f1e-d7364e328236}{141}" paraid="2049309200">Thankfully, Veracode customers need not worry about this disruption because they have access to Veracode’s proprietary database. Since the notice on February 13th, Veracode has released over 300 CVEs. Of these 300+, NVD has analyzed less than 15 of these CVEs. Read on to learn how Veracode SCA operates without NVD providing CVE analysis. </p>
<h2 aria-level="2" paraeid="{db8e0787-4725-49be-96ac-f2538eee8e19}{225}" paraid="1373319044" role="heading">NVD Analysis </h2>
<p paraeid="{db8e0787-4725-49be-96ac-f2538eee8e19}{231}" paraid="560866836">When a CVE Naming Authority (<a href="https://nvd.nist.gov/general/cna-counting" rel="noreferrer noopener" target="_blank">CNA</a>) adds a CVE to the NVD, they are required to include information such as a URL referencing the vulnerability and a description summarizing the vulnerability. While some CNAs may provide additional information such as a CVSS score, it is not required, so as part of its analysis process, the NVD plays an important role in enriching the data associated with each CVE. For example, NVD will add a Common Weakness Enumeration (CWE) identifier, Common Vulnerability Scoring System (CVSS) exploitability and impact metrics, and a Common Product Enumerator (CPE) to help users identify product names and versions that are either vulnerable or patched. </p>
<h2 aria-level="2" paraeid="{58bc3243-6e54-4c07-bd1d-f75dc8326497}{73}" paraid="1247129365" role="heading">Why You Should Not Rely Solely on the NVD </h2>
<p paraeid="{58bc3243-6e54-4c07-bd1d-f75dc8326497}{79}" paraid="575177443">While the NVD provides an incredibly valuable service to society, it was never wise to rely on it as your sole source of open-source security data. Consider these three scenarios: </p>
<ol role="list" start="1">
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Calibri" data-leveltext="%1." data-list-defn-props="{"335552541":0,"335559685":720,"335559991":360,"469769242":[65533,0],"469777803":"left","469777804":"%1.","469777815":"hybridMultilevel"}" data-listid="1" role="listitem">
<p paraeid="{58bc3243-6e54-4c07-bd1d-f75dc8326497}{109}" paraid="1850319636"><strong>Silent Fixes.</strong> What if an open-source library contributor fixes a security vulnerability and does not tell anyone? Veracode sees these “silent fixes” all the time in commits in GitHub and in bug reports in Bugzilla. </p>
</li>
</ol>
<ol role="list" start="2">
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-font="Calibri" data-leveltext="%1." data-list-defn-props="{"335552541":0,"335559685":720,"335559991":360,"469769242":[65533,0],"469777803":"left","469777804":"%1.","469777815":"hybridMultilevel"}" data-listid="1" role="listitem">
<p paraeid="{58bc3243-6e54-4c07-bd1d-f75dc8326497}{144}" paraid="400916381"><strong>Delayed Disclosures. </strong>What if the vulnerability is not reported in a timely manner? For example, <a href="https://sca.analysiscenter.veracode.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-7342/summary" rel="noreferrer noopener" target="_blank">CVE-2018-11776</a>, an Apache Struts Remote Code Execution vulnerability, similar to the one that led to the 2017 Equifax breach, was patched in April 2018 but not disclosed until August of that same year, giving hackers four months to take advantage of vulnerable software. </p>
</li>
</ol>
<ol role="list" start="3">
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="3" data-font="Calibri" data-leveltext="%1." data-list-defn-props="{"335552541":0,"335559685":720,"335559991":360,"469769242":[65533,0],"469777803":"left","469777804":"%1.","469777815":"hybridMultilevel"}" data-listid="1" role="listitem">
<p paraeid="{58bc3243-6e54-4c07-bd1d-f75dc8326497}{187}" paraid="1280227639"><strong>Systemic Delays.</strong> If a vulnerability is in fact reported, what about the fact that it can take weeks or months to go through the CNAs’ process of vetting and assigning a CVE and then several more weeks for NVD to go through its analysis process? Since all this information is public, these systemic delays give hackers plenty of time to exploit these vulnerabilities. </p>
</li>
</ol>
<h2 aria-level="2" paraeid="{58bc3243-6e54-4c07-bd1d-f75dc8326497}{214}" paraid="1528545545" role="heading">Veracode’s Proprietary Database </h2>
<p paraeid="{58bc3243-6e54-4c07-bd1d-f75dc8326497}{220}" paraid="600155625">For over a decade, Veracode has cultivated a database that includes not only the open-source vulnerabilities in the NVD, but also undisclosed vulnerabilities in open-source libraries. Sometimes these vulnerabilities fall into the previously described “silent fixes” or “delayed disclosures” categories, but often they fall in the “systemic delays” category. This is why customers see “Reserved CVEs” in Veracode’s database. A CNA will assign a CVE ID to a vulnerability and give it a “Reserved” status when they need more details about the vulnerability or are waiting for upstream developers to integrate the fix before announcing the vulnerability to the world. This is known as the “embargo period” in responsible disclosure. Veracode will not publish information about embargoed CVEs unless its security research team finds reputable information about a given reserved CVE. The bottom line is that Veracode customers often do not need to wait for this process to complete because Veracode researchers can gather those details and add the vulnerability to Veracode’s database, giving users the opportunity to fix these vulnerabilities before the CVE is analyzed by NVD. </p>
<h2 aria-level="3" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{87}" paraid="757270368" role="heading">Sources </h2>
<p paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{93}" paraid="314736053">The NVD is not Veracode’s only source of vulnerability data. The table below lists other sources that Veracode’s researchers utilize. </p>
<table aria-rowcount="6" border="1" data-tablelook="1184" data-tablestyle="MsoTableGrid">
<tbody>
<tr aria-rowindex="1" role="row">
<td data-celllook="65536" role="rowheader">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{132}" paraid="2128823817">Source </p>
</td>
<td data-celllook="65536" role="columnheader">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{139}" paraid="1879230808">Details </p>
</td>
</tr>
<tr aria-rowindex="2" role="row">
<td data-celllook="0" role="rowheader">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{147}" paraid="2096256226">OSV </p>
</td>
<td data-celllook="0">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{154}" paraid="2007985738">Data from <a href="https://osv.dev/" rel="noreferrer noopener" target="_blank">osv.dev</a> includes vulnerabilities from <a href="https://github.com/advisories" rel="noreferrer noopener" target="_blank">GitHub Security Advisories</a> and many <a href="https://google.github.io/osv.dev/" rel="noreferrer noopener" target="_blank">other sources</a>. </p>
</td>
</tr>
<tr aria-rowindex="3" role="row">
<td data-celllook="0" role="rowheader">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{186}" paraid="341008530">GitHub issues and commits </p>
</td>
<td data-celllook="0">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{203}" paraid="1571586387">Aided by machine learning to find issues and commits related to vulnerabilities, Veracode researchers monitor popular library commit and issue history to reveal nondisclosed vulnerabilities. </p>
</td>
</tr>
<tr aria-rowindex="4" role="row">
<td data-celllook="0" role="rowheader">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{223}" paraid="1606825937">Bug trackers </p>
</td>
<td data-celllook="0">
<p paraeid="{32ebffcb-0282-432f-95a3-adc882f1915d}{230}" paraid="1381512410">Aided by machine learning to discern bugs from vulnerabilities, Veracode researchers monitor public Bugzilla and Jira tickets to find vulnerabilities. </p>
</td>
</tr>
<tr aria-rowindex="5" role="row">
<td data-celllook="0" role="rowheader">
<p paraeid="{a5874352-8cae-4818-aa52-8edd767e25b6}{1}" paraid="499182303">Mailing lists </p>
</td>
<td data-celllook="0">
<p paraeid="{a5874352-8cae-4818-aa52-8edd767e25b6}{8}" paraid="218050157">Veracode researchers subscribe to various open-source software security mailing lists where maintainers and researchers discuss potential vulnerabilities. Again, machine learning is utilized to filter and prioritize. </p>
</td>
</tr>
<tr aria-rowindex="6" role="row">
<td data-celllook="0" role="rowheader">
<p paraeid="{a5874352-8cae-4818-aa52-8edd767e25b6}{34}" paraid="848119727">Product Advisories and Announcements </p>
</td>
<td data-celllook="0">
<p paraeid="{a5874352-8cae-4818-aa52-8edd767e25b6}{43}" paraid="1896074177">To cover times when a vulnerability is only disclosed via a vendor/library security advisory page, Veracode scrapes vendor disclosure pages. </p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<h2 aria-level="3" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{111}" paraid="1826421272" role="heading">Machine Learning </h2>
<p paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{117}" paraid="364539656">Long before they became buzzwords, Veracode has been using machine learning to automate the identification of potential security vulnerabilities from commit messages and bug reports. In open-source projects, bugs are typically tracked with issue trackers, and code changes are merged in the form of commits to source control repositories. Veracode’s vulnerability triage system uses natural language processing and real machine learning to identify potential vulnerabilities in open-source libraries with a high level of accuracy. By analyzing the patterns found in past commit messages and bug-tracking issues using machine learning, the model can identify when new commits or bug issues resemble a silent fix of a potential vulnerability. These potential vulnerabilities are then raised to Veracode’s security research team. </p>
<h2 aria-level="3" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{123}" paraid="2079745123" role="heading">Research Team </h2>
<p paraeid="{7c7ec44a-1518-4a9f-9678-06bc5b0ea05a}{92}" paraid="734167480">The security research team is responsible for triaging the data provided by the machine learning system and reviewing each potential vulnerability for accuracy, and if any false positives are discovered, the team adds this feedback into the system to continuously improve the model over time. For true positives, the curation process involves the following steps: </p>
<ul role="list">
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem">
<p paraeid="{7c7ec44a-1518-4a9f-9678-06bc5b0ea05a}{142}" paraid="1341072080"><strong>Determining the vulnerable range.</strong> While disclosures sometimes include the version in which the vulnerability was first introduced and the version containing the fix, this information is often missing, so researchers will review the commit history to find when the vulnerability was first introduced and evidence of the fix. </p>
</li>
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem">
<p paraeid="{7c7ec44a-1518-4a9f-9678-06bc5b0ea05a}{189}" paraid="2015593090"><strong>Verifying the fix is released.</strong> Researchers will download the “fixed” version from the respective package manager and confirm that it contains the fixed code. </p>
</li>
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem">
<p paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{129}" paraid="120737063"><strong>Identifying vulnerable methods.</strong> Researchers will add which public methods are affected by the vulnerability to the database so that Veracode’s SCA agent scanner can detect when these methods are called by your code. </p>
</li>
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem">
<p paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{6}" paraid="574274304"><strong>Adding details.</strong> Rather than copy the description of the vulnerability directly from the disclosure or CVE, researchers will often rephrase it to follow Veracode’s description format and to provide extra details that was discovered after reading the source code. </p>
</li>
<li aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-font="Symbol" data-leveltext="" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="2" role="listitem">
<p paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{55}" paraid="1846931034"><strong>Scoring. </strong>At this point, the team will have a thorough understanding of the prerequisites for the attack and how the vulnerability works from reading the source code. The researcher assigned to the vulnerability will calculate CVSS score using the <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator" rel="noreferrer noopener" target="_blank">same calculator used by the NVD</a>, and another researcher will conduct a quality assurance review to confirm that the score is correct before publishing it to the <a href="https://sca.analysiscenter.veracode.com/vulnerability-database/" rel="noreferrer noopener" target="_blank">Veracode vulnerability database</a>. </p>
</li>
</ul>
<h2 aria-level="3" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{135}" paraid="1841234544" role="heading">Vulnerable Methods </h2>
<p class="footnote" paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{92}" paraid="199395687">SCA agent scans create a call graph to see how data and controls flow through an application. If data flows through part of an open-source library that Veracode’s security research team has identified as vulnerable, SCA will indicate to developers that their application has a vulnerable method, which opens their application to exploits. The reason detection of vulnerable methods is so important is because it gives developers a clear picture of what needs to be fixed first. With over 56% of CVEs having a CVSS rating of high or critical,<sup>3</sup> using severity alone to prioritize is insufficient. </p>
<p paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{164}" paraid="1778334626">It’s worth noting that some SCA vendors claim to detect “reachability,” which involves checking whether first party code reaches the vulnerable library, but Veracode’s vulnerable method analysis can pinpoint whether first party code calls the actual vulnerable method inside the library. </p>
<h2 aria-level="3" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{147}" paraid="876754845" role="heading">License Risks </h2>
<p paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{161}" paraid="1288431132">Unlike the NVD, Veracode’s vulnerability database contains more than just vulnerabilities; it tracks also tracks licenses that are attached to third-party, open-source components and the risks associated with those licenses. These risks are identified during an SCA scan and can help organizations avoid issues related to copyleft licenses. <br />
</p>
<p aria-level="2" class="footnote" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{165}" paraid="93102359" role="heading"><strong>References </strong></p>
<p class="footnote" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{171}" paraid="1744093244">1 Internet Archive, <a href="https://web.archive.org/web/20240212021622/https:/nvd.nist.gov/general/nvd-dashboard" rel="noreferrer noopener" target="_blank">https://web.archive.org/web/20240212021622/https:/nvd.nist.gov/general/nvd-dashboard</a> </p>
<p class="footnote" paraeid="{ffbf6bf7-6990-4679-9ac6-1b966e0e871d}{186}" paraid="2009254993">2 NVD Dashboard, <a href="https://nvd.nist.gov/general/nvd-dashboard" rel="noreferrer noopener" target="_blank">https://nvd.nist.gov/general/nvd-dashboard</a> </p>
<p class="footnote" paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{250}" paraid="584243939">3 CVE Details, <a href="https://www.cvedetails.com/" rel="noreferrer noopener" target="_blank">https://www.cvedetails.com</a> </p>
<p class="footnote" paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{250}" paraid="584243939"> </p>
<p class="footnote" paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{250}" paraid="584243939"><strong>Special Thanks</strong></p>
<p class="footnote" paraeid="{edac1523-8fd1-4d43-b1e1-81fdc3070104}{250}" paraid="584243939">Special thanks to Peter Monaghan, Veracode Product Manager, for valuable contributions to this piece.</p>
</div>
<span><span lang="" about="/users/nova-trauben" typeof="schema:Person" property="schema:name" datatype="">Nova Trauben</span></span>
<span><time datetime="2024-03-28T10:05:47-04:00" title="Thursday, March 28, 2024 - 10:05">Thu, 03/28/2024 - 10:05</time>
</span>
<div class="field field--name-field-featured-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="/sites/default/files/Veracode%20and%20NVD%20.png" width="800" height="414" alt="" typeof="foaf:Image" />
</div>
</description>
<pubDate>Thu, 28 Mar 2024 14:05:47 +0000</pubDate>
<dc:creator>Nova Trauben</dc:creator>
<guid isPermaLink="false">65181 at https://www.veracode.com</guid>
</item>
<item>
<title>test webinar</title>
<link>https://www.veracode.com/test-webinar</link>
<description>
<span>test webinar</span>
<span><span lang="" about="/users/dantrancodeenginestudiocom" typeof="schema:Person" property="schema:name" datatype="" content="dan.tran@codeenginestudio.com">dan.tran@codee…</span></span>
<span><time datetime="2024-03-28T05:35:35-04:00" title="Thursday, March 28, 2024 - 05:35">Thu, 03/28/2024 - 05:35</time>
</span>
<section class="section">
<div class="container-fluid">
<div class="row">
<div class="col-md-12 px-0">
<div class="block block-layout-builder block-inline-blockwebinar-header webinar-header-block">
<div class="vc-resource-new-wrapper separate-block">
<div class="vc-resource-new" id="subscribe">
<div class="main-content separate-block">
<div class="vc-resource-new__webinars-header-wrapper">
<div class="vc-resource-new__webinars-header">
<div class="vc-resource-new__webinars-header-title">
<div class="logo-group">
<div class="logo"></div>
<div class="cross"></div>
<div class="collab-text">In partnership with</div>
<div class="partner-logo" style="background: url('/sites/default/files/2023-08/oobeya-logo-integrations.png') no-repeat left center; background-size: contain;"></div>
</div>
<div class="resource-type">
</div>
<div class="title">
<h1>Test New Webinar</h1>
</div>
<div class="date">
<span>From: Tuesday, April 2nd, 04PM WAT</span>
<span>To: Wednesday, April 3rd, 04AM WAT</span>
</div>
<div class="countdown">
<div class="time d-none">2024-04-02 16:37:52</div>
<div class="time-end d-none">2024-04-03 04:38:05</div>
<div class="timezone-default d-none">America/New_York</div>
<div class="timezone d-none">Africa/Brazzaville</div>
<div class="value d-none">2024-04-02T16:37:52</div>
<div class="title">Webinar starting in:</div>
<div class="countdown-timer">
<div>
<div class="timer-box day"></div>
<div class="label">Days</div>
</div>
<div>
<div class="timer-box hour"></div>
<div class="label">Hours</div>
</div>
<div>
<div class="timer-box minute"></div>
<div class="label">Minutes</div>
</div>
<div>
<div class="timer-box second"></div>
<div class="label">Seconds</div>
</div>
</div>
</div>
<div>
<a href="#register" id="webinar-register-button" class="btn register-button"></a>
</div>
</div>
</div>
</div>
<div class="webinar-block-wrapper"></div>
<div class="vc-resource-new__webinars-form-wrapper">
<div class="form-anchor" id="register"></div>
<div class="marketo-form">
<h4 class="marketo-form__title" id="webinar-form-title"></h4>
<div class="marketo-form__text-data d-none"
data-title="Claim your spot!"
data-button-text="Register Now"
data-expired-title="Access The Video"
data-expired-button-text="Access The Video"></div>
<script src="//info.veracode.com/js/forms2/js/forms2.min.js"></script>
<form id="mktoForm_330"> </form>
<script>
MktoForms2.loadForm("//info.veracode.com", "790-ZKW-291", 330, function (form) {
form.onSuccess(function (values, followUpUrl) { // Set cookies for thank you page.
window.cookie.set('marketo_resource', values.Email, 7);
if (followUpUrl.indexOf('aliId=') > -1) {
location.href = location.href.split(/[?#]/)[0] + '?thank-you';
return false;
}
});
});
</script>
</div>
</div>
</div>
<div class="thank-you-content">
<div class="vc-resource-new__whitepapers-thank-you">
<div class="vc-resource-new__webinars-header-wrapper">
<div class="vc-resource-new__webinars-header thank-you">
<div class="vc-resource-new__webinars-header-title thank-you__header">
<div class="logo-group">
<div class="logo"></div>
<div class="cross"></div>
<div class="collab-text">In partnership with</div>
<div class="partner-logo">
<img src="/sites/default/files/2023-08/oobeya-logo-integrations.png">
</div>
</div>
<div class="resource-type">
</div>
<div class="title">
<h1>Test New Webinar</h1>
</div>
<div class="sub-heading">
<p>test thank you Subheading</p>
</div>
<div class="bottom-text">
<p>Thank You Bottom Text</p>
</div>
<div class="download-button">
<a href="/63346" target="_blank" class="btn prefooter-button">/63346</a>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="block block-layout-builder block-inline-blockwebinar-description vc-resource-new__webinars-body vc-resource-new webinar-block">
<div class="main-content separate-block">
<div class='vc-resource-new__webinars-content-wrapper'>
<div class='vc-resource-new__webinars-content'>
<div class="webinar-info">
<h1>Some info</h1>
<p>It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. Many desktop publishing packages and web page editors now use Lorem Ipsum as their default model text, and a search for 'lorem ipsum' will uncover many web sites still in their infancy. Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like).</p>
<h1>Some more info</h1>
<p>It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. Many desktop publishing packages and web page editors now use Lorem Ipsum as their default model text, and a search for 'lorem ipsum' will uncover many web sites still in their infancy. Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like).</p>
</div>
</div>
</div>
</div>
</div>
<div class="block block-layout-builder block-inline-blockwebinar-speaker vc-resource-new__webinars-body vc-resource-new webinar-block">
<div class="main-content separate-block">
<div class='vc-resource-new__webinars-content-wrapper'>
<div class='vc-resource-new__webinars-content'>
<h4 class="mb-0">Speaker title</h4>
<div class="webinar-speakers block-title">
<div class="speaker">
<div class="speaker-image">
<img src="/sites/default/files/2022-11/Chris-Wysopal.png">
</div>
<div class="speaker-info">
<span class="full-name">Chris Wysopal</span>
<span class="position">Founder</span>
<span class="company">Veracode</span>
</div>
</div>
<div class="speaker">
<div class="speaker-image">
<img src="/sites/default/files/2023-02/Andre-Cuenin.png">
</div>
<div class="speaker-info">
<span class="full-name">Andre Cuenin</span>
<span class="position">Chief Revenue Officer</span>
<span class="company">Veracode</span>
</div>
</div>
<div class="speaker">
<div class="speaker-image">
<img src="/sites/default/files/2022-11/John-Smith.png">
</div>
<div class="speaker-info">
<span class="full-name">John Smith</span>
<span class="position">Chief Technology Officer</span>
<span class="company">Veracode</span>
</div>
</div>
<div class="speaker">
<div class="speaker-image">
<img src="/sites/default/files/2022-11/Brian-Roche.png">
</div>
<div class="speaker-info">
<span class="full-name">Brian Roche</span>
<span class="position">Chief Product Officer</span>
<span class="company">Veracode</span>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="block block-layout-builder block-inline-blockwebinar-award vc-resource-new__webinars-body vc-resource-new webinar-block">
<div class="main-content separate-block">
<div class='vc-resource-new__webinars-content-wrapper'>
<div class='vc-resource-new__webinars-content'>
<h4>Recognized</h4>
<div class="webinar-award-text block-title">
<p>It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. Many desktop publishing packages and web page editors now use Lorem Ipsum as their default model text, and a search for 'lorem ipsum' will uncover many web sites still in their infancy. Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like).</p>
</div>
<div class="webinar-award-logos">
<div class="logo-wrapper">
<div class="logo-image__container">
<div class="logo-image zoom-hover">
<img src="/sites/default/files/2022-09/award-peerspot-no-1-ranked.png">
</div>
</div>
</div>
<div class="logo-wrapper">
<div class="logo-image__container">
<div class="logo-image zoom-hover">
<img src="/sites/default/files/2023-04/award-trustradius-best-software-2022_0.png">
</div>
</div>
</div>
<div class="logo-wrapper">
<div class="logo-image__container">
<div class="logo-image zoom-hover">
<img src="/sites/default/files/2023-04/award-peerspot-user-choice-2022.png">
</div>
</div>
</div>
<div class="logo-wrapper">
<div class="logo-image__container">
<div class="logo-image zoom-hover">
<img src="/sites/default/files/2023-08/award-TrustRadius-Badge-Best-Of-Price-Winter-2023.png">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="block block-layout-builder block-inline-blockwhitepaper-cta vc-resource-new">
<div class="main-content separate-block">
<div class="vc-resource-new__whitepapers-pre-footer-wrapper">
<div class="vc-resource-new__whitepapers-pre-footer">
<div class="prefooter-text">Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore</div>
<div class="prefooter-button-wrapper">
<a href="https://www.veracode.com/" target="_blank" class="btn prefooter-button">Download Now</a>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</description>
<pubDate>Thu, 28 Mar 2024 09:35:35 +0000</pubDate>
<dc:creator>dan.tran@codeenginestudio.com</dc:creator>
<guid isPermaLink="false">65171 at https://www.veracode.com</guid>
</item>
<item>
<title>Resolving Simple Cross-Site Scripting Flaws with Veracode Fix</title>
<link>https://www.veracode.com/blog/intro-appsec/resolving-simple-cross-site-scripting-flaws-veracode-fix</link>
<description>
<span>Resolving Simple Cross-Site Scripting Flaws with Veracode Fix</span>
<div class="field field--name-body field--type-text-with-summary field--label-hidden field__item"><p class="text-align-justify"><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">In the last blog on <a href="//www.veracode.com/blog/secure-development/using-veracode-fix-remediate-sql-injection-flaw">fixing vulnerabilities with Veracode Fix,</a> we looked at SQL Injection remediation in a Java application. Since then, we have released Fix support for Python (and PHP) and launched a new <a href="//www.veracode.com/blog/customer-news/veracode-scan-vs-code-now-veracode-fix">VS Code plugin that includes support for Fix</a>.</span></span></p>
<p class="text-align-justify"><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">It seems appropriate, therefore, to look at resolving a problem in a Python app using Veracode Fix in the VS Code IDE. This time let’s examine a simple cross-site scripting (XSS) weakness. </span></span></p>
<h2 class="text-align-justify">What is an XSS Vulnerability?</h2>
<p class="text-align-justify"><span style="font-size:9pt"><span style="line-height:15pt"><span style="font-family:Poppins"><span lang="EN-US" style="font-size:12.0pt"><span style="font-family:"Calibri",sans-serif">An XSS vulnerability occurs when an attacker injects malicious code into a trusted website, which is then executed by unsuspecting users. This can lead to unauthorized access, data theft, or manipulation of user sessions. XSS vulnerabilities are commonly found in input fields, comments sections, or poorly validated user-generated content. A simple demonstration example is often to enter the following text in a user input field:</span></span></span></span></span></p>
<pre>
<code class="language-html"><script>alert('XSS Attack!');</script></code></pre><p class="p1 text-align-justify" style="margin-bottom:14px"><span style="font-size:9pt"><span style="line-height:15pt"><span style="font-family:Poppins"><span lang="EN-US" style="font-size:12.0pt"><span style="font-family:"Calibri",sans-serif">If an application does not sanitize this input and later displays it in an HTML response, the browser will interpret the output as code and display a dialog box with the ‘XSS Attack’ message. Although this example is harmless, it’s obviously a way to do something far more dangerous. </span></span></span></span></span></p>
<p class="p1 text-align-justify" style="margin-bottom:14px"><span style="font-size:9pt"><span style="line-height:15pt"><span style="font-family:Poppins"><span lang="EN-US" style="font-size:12.0pt"><span style="font-family:"Calibri",sans-serif">Although simple XSS vulnerabilities are generally easy to resolve, XSS weaknesses are still amongst the most common problems detected by Veracode’s Static Analysis tool.</span></span></span></span></span></p>
<p class="p1 text-align-justify" style="margin-bottom:14px"><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">If you’re a Veracode customer and you’d like to follow along, take a look at <a href="//www.veracode.com/blog/customer-news/announcing-veracode-scan-unified-sast-and-sca-ide-plugin" style="color:#0563c1; text-decoration:underline">this blog</a> where we introduce Veracode Scan for VS Code, or check out the <a href="https://docs.veracode.com/r/Veracode_Scan_for_VS_Code" style="color:#0563c1; text-decoration:underline">documentation</a>.</span></span></p>
<h2>Generating (Deliberately) Vulnerable Code with AI</h2>
<p class="text-align-justify"><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">There are plenty of deliberately (and accidentally) vulnerable web applications available. For this simple example, however, it was just as easy (and more entertaining) to use a couple of AI services to generate deliberately vulnerable code.</span></span></p>
<p class="text-align-justify"><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">Since the author is not yet much of a prompt engineer, the first task is to use ChatGPT to generate a good prompt for GitHub Copilot to use:</span></span></p>
<pre>
<code>Acting as a prompt engineer, create an optimized prompt for GitHub copilot to create a deliberately vulnerable python app using flask to demonstrate a cross-site scripting vulnerability.</code></pre><p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">Here’s the optimized prompt: </span></span></p>
<pre>
<code>Create a simple Python web application using Flask that demonstrates a cross-site scripting (XSS) vulnerability. The application should have a single route ("/") that renders an HTML form with a text input field. Upon submitting the form, the input value should be reflected back to the user on the same page.
The goal is to demonstrate a potential XSS vulnerability where user-supplied input is not properly sanitized or escaped before being rendered back to the user. This could allow an attacker to inject malicious JavaScript code that gets executed in the context of other users' browsers when they visit the page.
Your task is to generate code that achieves the following:
1. Set up a Flask application with a single route ("/") that renders an HTML form.
2. The form should have a text input field.
3. When the form is submitted, the input value should be echoed back to the user on the same page.
4. Ensure that the input value is not properly sanitized or escaped, leaving the application vulnerable to XSS attacks.
5. Add comments to explain the purpose of each part of the code.
Generate code snippets that demonstrate the vulnerable parts of the application, including where user input is accepted and where it is reflected back to the user without proper sanitization.
Bonus: Provide a short description of how an attacker could exploit this XSS vulnerability to execute arbitrary JavaScript code in the context of other users' browsers.</code></pre><p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">Next, we’re going to feed that into Copilot in our VS Code IDE and generate an app: </span></span></p>
<pre>
<code class="language-python">from flask import Flask, request, render_template_string
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'POST':
# Retrieve the user input from the form
user_input = request.form.get('input')
# Render the template with the user input
return render_template_string('<h1>Input: {{ user_input }}</h1>', user_input=user_input)
# Render the HTML form
return '''
<form method="POST">
<input type="text" name="input">
<input type="submit" value="Submit">
</form>
'''
if __name__ == '__main__':
app.run()</code></pre><p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">You can see from the code that we are just returning the user input from the form without any sanitization, making it an easy target for an XSS attack:</span></span></p>
<pre>
<code class="language-python">return render_template_string('<h1>Input: {{ user_input }}</h1>', user_input=user_input)</code></pre><p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif">To make it look a little more like a project the following directory structure was used:</span></span></p>
<pre>
<code class="language-bash">pyxss
├── requirements.txt
└── src
├── templates
│ └── index.html
└── xss.py</code></pre><p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">(The "templates->index.html" directory and file are just an artifact from a previous project, but might be useful later if we build this demo app out.)</span></span></span></p>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">Next, we need to set up our directory as a git repository with git init, git add, and git commit. </span></span></span></p>
<h2>Scanning the Code and Resolving Flaws with Veracode Fix </h2>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">Now we’re ready to scan the project using Veracode Scan, by clicking on the Veracode Plugin icon, then hitting the ‘Start Scanning’ button. In the background, the agent is packaging and uploading the deployment artifact to the Veracode platform, which performs a static scan and returns the results: </span></span></span></p>
<p><img alt="VS Code with Veracode Scan" data-entity-type="file" data-entity-uuid="218f20e0-34e6-4bee-a85a-b4eb9ceda99d" src="//www.veracode.com/sites/default/files/inline-images/Screenshot%202024-03-26%20at%2010.39.41_0.png" /></p>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">Reassuringly, there is only one discovered flaw and it’s CWE-80, which is a basic XSS weakness. </span></span></span></p>
<p><img alt="Scan results" data-entity-type="file" data-entity-uuid="28846d39-1de7-489a-a63c-d06113b895c7" src="//www.veracode.com/sites/default/files/inline-images/Screenshot%202024-03-26%20at%2010.42.06.png" /></p>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">You will notice the blue dot at the beginning of the finding line, indicating that there might be a Veracode Fix suggestion available. To activate the Fix, click on the </span><span lang="EN-US" style="font-family:"MS Gothic"">ⓘ </span><span lang="EN-US" style="font-family:"Lato",sans-serif">symbol at the end of the line:</span></span></span></p>
<p><img alt="Veracode Fix in Vs Code" data-entity-type="file" data-entity-uuid="f00937c2-b134-4184-8b3f-f13838404e9e" src="//www.veracode.com/sites/default/files/inline-images/Screenshot%202024-03-26%20at%2010.48.14.png" /></p>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">Fix offers us the following suggestion as option 1 (of 4):</span></span></span></p>
<pre>
<code class="language-python">+from html import escape
…
- return render_template_string('<h1>Input: {{ user_input }}</h1>', user_input=user_input)
+ return render_template_string(escape('<h1>Input: {{ user_input }}</h1>'), user_input=user_input)</code></pre><p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">All that has been changed is to add an escape() function around the returned content, but this will be sufficient to protect against a lot of XSS attacks as the Python HTML escape function converts special HTML characters into their corresponding HTML entities, preventing XSS attacks by ensuring safe rendering of user-provided text in HTML documents.</span> In addition, the correct import line has been added to make the escape function available. </span></span></p>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">This looks good, so now all we need to do is to hit the ‘Apply Fix’ button to add this to our code, and hit ‘Rescan’. Unfortunately, </span></span></span><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">this change generates a new flaw - <a href="https://cwe.mitre.org/data/definitions/1336.html" style="color:#0563c1; text-decoration:underline">CWE-1336</a> (server-side template injection). Rather than spend too much time researching this flaw, l</span></span></span><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">et’s revert the change, rescan, and look at the other Fix suggestions. </span></span></span></p>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">Option 3, which shifts the escape() function to the whole returned string, not just the part that came from the user looks like a good resolution: </span></span></span></p>
<pre>
<code class="language-python">+ return escape(render_template_string('<h1>Input: {{ user_input }}</h1>', user_input=user_input))</code></pre><p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">Applying this fix and rescanning gives us the happy result of no flaws found! </span></span></span></p>
<h2>Conclusion</h2>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span lang="EN-US" style="font-family:"Lato",sans-serif">In this case, the first Fix suggestion did not produce a perfect result, but one of the other suggestions gave us the result we needed to successfully pass a Veracode Static Scan, and, more importantly, to secure our app.</span></span></span></p>
<p><span style="font-size:12pt"><span style="font-family:Calibri,sans-serif"><span style="font-size:12.0pt"><span style="font-family:"Lato",sans-serif">If you’re interested in how Veracode Fix can help you resolve flaws faster, why not <a href="//www.veracode.com/contact-us">contact us</a>, or request a <a href="https://info.veracode.com/veracode-solution-demo.html">personalized demo.</a></span></span></span></span></p>
<p> </p>
<p> </p>
</div>
<span><span lang="" about="/users/rhaynes" typeof="schema:Person" property="schema:name" datatype="">rhaynes</span></span>
<span><time datetime="2024-03-26T14:45:35-04:00" title="Tuesday, March 26, 2024 - 14:45">Tue, 03/26/2024 - 14:45</time>
</span>
<div class="field field--name-field-featured-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="/sites/default/files/Resolve%20XXS%20Vulnerability%20with%20Veracode%20Fix.png" width="800" height="414" alt="" typeof="foaf:Image" />
</div>
</description>
<pubDate>Tue, 26 Mar 2024 18:45:35 +0000</pubDate>
<dc:creator>rhaynes</dc:creator>
<guid isPermaLink="false">65161 at https://www.veracode.com</guid>
</item>
<item>
<title>Unleash the Force: AI's Game-Changing Role in DevSecOps</title>
<link>https://www.veracode.com/events/unleash-the-force-ai-game-changing-role-in-devsecops</link>
<description>
<span>Unleash the Force: AI's Game-Changing Role in DevSecOps</span>
<span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span>
<span><time datetime="2024-03-25T07:55:12-04:00" title="Monday, March 25, 2024 - 07:55">Mon, 03/25/2024 - 07:55</time>
</span>
<div class="field field--name-field-event-start-date field--type-datetime field--label-above">
<div class="field__label">Event Start Date</div>
<div class="field__item"><time datetime="2024-04-23T16:00:00Z">Tue, 04/23/2024 - 12:00</time>
</div>
</div>
<div class="field field--name-field-event-end-date field--type-datetime field--label-above">
<div class="field__label">Event End Date</div>
<div class="field__item"><time datetime="2024-04-23T18:00:00Z">Tue, 04/23/2024 - 14:00</time>
</div>
</div>
<div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above">
<div class="field__label">Featured Event</div>
<div class="field__item">Off</div>
</div>
<div class="field field--name-field-resource-image field--type-entity-reference field--label-above">
<div class="field__label">Featured Image</div>
<div class="field__item"><a href="/media/image/14306" hreflang="en">veracode-event.jpg</a></div>
</div>
<div class="field field--name-field-event-location field--type-entity-reference field--label-above">
<div class="field__label">Event Location</div>
<div class="field__item"><a href="/vc-event-location/emea" hreflang="en">EMEA</a></div>
</div>
<div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above">
<div class="field__label">Event Type</div>
<div class="field__item"><a href="/vc-event-type/webinar" hreflang="en">Webinar</a></div>
</div>
<div class="field field--name-field-use-new-template field--type-list-string field--label-above">
<div class="field__label">Use new template</div>
<div class="field__item">Yes</div>
</div>
<div class="field field--name-field-resource-webinar field--type-entity-reference-revisions field--label-above">
<div class="field__label">Event General Info</div>
<div class="field__item"> <div class="paragraph paragraph--type--resource-webinar paragraph--view-mode--default">
<div class="field field--name-field-start-date field--type-datetime field--label-above">
<div class="field__label">Start Date</div>
<div class="field__item">2024-03-25T07:49:59</div>
</div>
<div class="field field--name-field-webinar-description field--type-text-long field--label-above">
<div class="field__label">Webinar Description</div>
<div class="field__item"><h2>About the Event:</h2>
<p>Discover how AI technology is revolutionizing the Software Development Life Cycle (SDLC) by seamlessly integrating into the DevSecOps workflow. Explore the power of AI-driven analysis and automated remediation, empowering development teams to identify and address vulnerabilities in real-time. By harnessing the force of AI, developers can proactively safeguard their software, significantly reducing risk and ensuring the delivery of secure and reliable applications. Don't miss this opportunity to unlock the game-changing potential of AI in DevSecOps.</p>
</div>
</div>
<div class="field field--name-field-title field--type-string field--label-above">
<div class="field__label">Marketo Title</div>
<div class="field__item">Claim your spot</div>
</div>
<div class="field field--name-field-gated-content field--type-boolean field--label-above">
<div class="field__label">Gated Content</div>
<div class="field__item">Off</div>
</div>
<div class="field field--name-field-marketo-form-id field--type-integer field--label-above">
<div class="field__label">Marketo Form ID</div>
<div class="field__item">330</div>
</div>
<div class="field field--name-field-expired-title field--type-string field--label-above">
<div class="field__label">Marketo Title (Past Start Date)</div>
<div class="field__item">Watch The Recording</div>
</div>
<div class="field field--name-field-button-text field--type-string field--label-above">
<div class="field__label">Marketo Form Button Text</div>
<div class="field__item">Register Now</div>
</div>
<div class="field field--name-field-expired-button-text field--type-string field--label-above">
<div class="field__label">Marketo Form Button Text (Past Start Date)</div>
<div class="field__item">Access The Video</div>
</div>
<div class="field field--name-field-start-date-timezone field--type-tzfield field--label-above">
<div class="field__label">Timezone</div>
<div class="field__item">GMT</div>
</div>
<div class="field field--name-field-show-end-date field--type-boolean field--label-above">
<div class="field__label">Show End Date</div>
<div class="field__item">Off</div>
</div>
</div>
</div>
</div>
<div class="field field--name-field-webinar-speakers field--type-entity-reference-revisions field--label-above">
<div class="field__label">Event Members</div>
<div class="field__items">
<div class="field__item"> <div class="paragraph paragraph--type--webinar-speaker-profile paragraph--view-mode--default">
<div class="field field--name-field-image field--type-entity-reference field--label-above">
<div class="field__label">Picture</div>
<div class="field__item"><a href="/media/image/19826" hreflang="en">matthew-salmon.jpg</a></div>
</div>
<div class="field field--name-field-full-name field--type-string field--label-above">
<div class="field__label">Speaker Name</div>
<div class="field__item">Matthew Salmon</div>
</div>
<div class="field field--name-field-job-title field--type-string field--label-above">
<div class="field__label">Speaker Position</div>
<div class="field__item">Sr Solution Architect</div>
</div>
<div class="field field--name-field-company-name field--type-string field--label-above">
<div class="field__label">Speaker Company</div>
<div class="field__item">Veracode</div>
</div>
</div>
</div>
<div class="field__item"> <div class="paragraph paragraph--type--webinar-speaker-profile paragraph--view-mode--default">
<div class="field field--name-field-image field--type-entity-reference field--label-above">
<div class="field__label">Picture</div>
<div class="field__item"><a href="/media/image/19831" hreflang="en">michael-svedsen.jpg</a></div>
</div>
<div class="field field--name-field-full-name field--type-string field--label-above">
<div class="field__label">Speaker Name</div>
<div class="field__item">Michael Svendsen</div>
</div>
<div class="field field--name-field-job-title field--type-string field--label-above">
<div class="field__label">Speaker Position</div>
<div class="field__item">Head of Pre-sales and Services</div>
</div>
<div class="field field--name-field-company-name field--type-string field--label-above">
<div class="field__label">Speaker Company</div>
<div class="field__item">Nordicmind</div>
</div>
</div>
</div>
</div>
</div>
<div class="field field--name-field-thank-you-page-content field--type-entity-reference-revisions field--label-above">
<div class="field__label">Thank you Page Content</div>
<div class="field__item"> <div class="paragraph paragraph--type--thank-you-page-content paragraph--view-mode--default">
<div class="field field--name-field-heading field--type-string field--label-above">
<div class="field__label">Heading</div>
<div class="field__item">Thank you for your interest</div>
</div>
<div class="field field--name-field-subheading field--type-text-long field--label-above">
<div class="field__label">Subheading</div>
<div class="field__item"><p>Thank you for your interest!</p>
</div>
</div>
<div class="field field--name-field-related-content field--type-entity-reference field--label-above">
<div class="field__label">Related Content</div>
<div class="field__items">
<div class="field__item"><a href="/resources/artificial-intelligence-ai-and-future-application-security" hreflang="en"> Artificial Intelligence (AI) and the Future of Application Security Testing</a></div>
<div class="field__item"><a href="/artificial-intelligence-and-secure-software-development" hreflang="en">Artificial Intelligence and Secure Software Development</a></div>
<div class="field__item"><a href="/resources/application-security-era-ai-driven-attacks" hreflang="en">Application Security in the Era of AI-driven Attacks</a></div>
</div>
</div>
<div class="field field--name-field-related-content-title field--type-string field--label-above">
<div class="field__label">Related Content Section Title</div>
<div class="field__item">Dive Deeper Into Related Content</div>
</div>
</div>
</div>
</div>
</description>
<pubDate>Mon, 25 Mar 2024 11:55:12 +0000</pubDate>
<dc:creator>Shafraz.Kamil@2x.marketing</dc:creator>
<guid isPermaLink="false">65136 at https://www.veracode.com</guid>
</item>
<item>
<title>Nordic Cyber Summit</title>
<link>https://www.veracode.com/node/65126</link>
<description>
<span>Nordic Cyber Summit</span>
<span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span>
<span><time datetime="2024-03-22T06:41:18-04:00" title="Friday, March 22, 2024 - 06:41">Fri, 03/22/2024 - 06:41</time>
</span>
<div class="field field--name-field-event-start-date field--type-datetime field--label-above">
<div class="field__label">Event Start Date</div>
<div class="field__item"><time datetime="2024-09-12T13:00:00Z">Thu, 09/12/2024 - 09:00</time>
</div>
</div>
<div class="field field--name-field-event-end-date field--type-datetime field--label-above">
<div class="field__label">Event End Date</div>
<div class="field__item"><time datetime="2024-09-13T21:00:00Z">Fri, 09/13/2024 - 17:00</time>
</div>
</div>
<div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above">
<div class="field__label">Featured Event</div>
<div class="field__item">Off</div>
</div>
<div class="field field--name-field-resource-image field--type-entity-reference field--label-above">
<div class="field__label">Featured Image</div>
<div class="field__item"><a href="/media/image/19781" hreflang="en">nordic-cyber-summit-2024-event.jpg</a></div>
</div>
<div class="field field--name-field-resource-link field--type-link field--label-above">
<div class="field__label">Link</div>
<div class="field__item"><a href="https://nordic.cyberseries.io/" target="_blank">Join Us</a></div>
</div>
<div class="field field--name-field-event-location field--type-entity-reference field--label-above">
<div class="field__label">Event Location</div>
<div class="field__item"><a href="/vc-event-location/emea" hreflang="en">EMEA</a></div>
</div>
<div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above">
<div class="field__label">Event Type</div>
<div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div>
</div>
<div class="field field--name-field-use-new-template field--type-list-string field--label-above">
<div class="field__label">Use new template</div>
<div class="field__item">No</div>
</div>
</description>
<pubDate>Fri, 22 Mar 2024 10:41:18 +0000</pubDate>
<dc:creator>Shafraz.Kamil@2x.marketing</dc:creator>
<guid isPermaLink="false">65126 at https://www.veracode.com</guid>
</item>
<item>
<title>Gartner Security & Risk Management Summit</title>
<link>https://www.veracode.com/node/65121</link>
<description>
<span>Gartner Security & Risk Management Summit</span>
<span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span>
<span><time datetime="2024-03-22T06:39:32-04:00" title="Friday, March 22, 2024 - 06:39">Fri, 03/22/2024 - 06:39</time>
</span>
<div class="field field--name-field-event-start-date field--type-datetime field--label-above">
<div class="field__label">Event Start Date</div>
<div class="field__item"><time datetime="2024-09-23T13:00:00Z">Mon, 09/23/2024 - 09:00</time>
</div>
</div>
<div class="field field--name-field-event-end-date field--type-datetime field--label-above">
<div class="field__label">Event End Date</div>
<div class="field__item"><time datetime="2024-09-25T21:00:00Z">Wed, 09/25/2024 - 17:00</time>
</div>
</div>
<div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above">
<div class="field__label">Featured Event</div>
<div class="field__item">Off</div>
</div>
<div class="field field--name-field-resource-image field--type-entity-reference field--label-above">
<div class="field__label">Featured Image</div>
<div class="field__item"><a href="/media/image/19776" hreflang="en">gartner-security-risk-management-summit-2024-event.jpg</a></div>
</div>
<div class="field field--name-field-resource-link field--type-link field--label-above">
<div class="field__label">Link</div>
<div class="field__item"><a href="https://www.gartner.com/en/conferences/emea/security-risk-management-uk" target="_blank">Join Us</a></div>
</div>
<div class="field field--name-field-event-location field--type-entity-reference field--label-above">
<div class="field__label">Event Location</div>
<div class="field__item"><a href="/vc-event-location/emea" hreflang="en">EMEA</a></div>
</div>
<div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above">
<div class="field__label">Event Type</div>
<div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div>
</div>
<div class="field field--name-field-use-new-template field--type-list-string field--label-above">
<div class="field__label">Use new template</div>
<div class="field__item">No</div>
</div>
</description>
<pubDate>Fri, 22 Mar 2024 10:39:32 +0000</pubDate>
<dc:creator>Shafraz.Kamil@2x.marketing</dc:creator>
<guid isPermaLink="false">65121 at https://www.veracode.com</guid>
</item>
<item>
<title>GOTO Amsterdam</title>
<link>https://www.veracode.com/node/65111</link>
<description>
<span>GOTO Amsterdam</span>
<span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span>
<span><time datetime="2024-03-21T10:04:46-04:00" title="Thursday, March 21, 2024 - 10:04">Thu, 03/21/2024 - 10:04</time>
</span>
<div class="field field--name-field-event-start-date field--type-datetime field--label-above">
<div class="field__label">Event Start Date</div>
<div class="field__item"><time datetime="2024-06-11T13:00:00Z">Tue, 06/11/2024 - 09:00</time>
</div>
</div>
<div class="field field--name-field-event-end-date field--type-datetime field--label-above">
<div class="field__label">Event End Date</div>
<div class="field__item"><time datetime="2024-06-12T21:00:00Z">Wed, 06/12/2024 - 17:00</time>
</div>
</div>
<div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above">
<div class="field__label">Featured Event</div>
<div class="field__item">Off</div>
</div>
<div class="field field--name-field-resource-image field--type-entity-reference field--label-above">
<div class="field__label">Featured Image</div>
<div class="field__item"><a href="/media/image/19761" hreflang="en">goto-amsterdam-2024-event.jpg</a></div>
</div>
<div class="field field--name-field-resource-link field--type-link field--label-above">
<div class="field__label">Link</div>
<div class="field__item"><a href="https://gotoams.nl/2024" target="_blank">Save Your Spot</a></div>
</div>
<div class="field field--name-field-event-location field--type-entity-reference field--label-above">
<div class="field__label">Event Location</div>
<div class="field__item"><a href="/vc-event-location/emea" hreflang="en">EMEA</a></div>
</div>
<div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above">
<div class="field__label">Event Type</div>
<div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div>
</div>
<div class="field field--name-field-use-new-template field--type-list-string field--label-above">
<div class="field__label">Use new template</div>
<div class="field__item">No</div>
</div>
</description>
<pubDate>Thu, 21 Mar 2024 14:04:46 +0000</pubDate>
<dc:creator>Shafraz.Kamil@2x.marketing</dc:creator>
<guid isPermaLink="false">65111 at https://www.veracode.com</guid>
</item>
<item>
<title>IT Web Security Summit Johannesburg</title>
<link>https://www.veracode.com/node/65106</link>
<description>
<span>IT Web Security Summit Johannesburg</span>
<span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span>
<span><time datetime="2024-03-21T10:02:02-04:00" title="Thursday, March 21, 2024 - 10:02">Thu, 03/21/2024 - 10:02</time>
</span>
<div class="field field--name-field-event-start-date field--type-datetime field--label-above">
<div class="field__label">Event Start Date</div>
<div class="field__item"><time datetime="2024-06-04T13:00:00Z">Tue, 06/04/2024 - 09:00</time>
</div>
</div>
<div class="field field--name-field-event-end-date field--type-datetime field--label-above">
<div class="field__label">Event End Date</div>
<div class="field__item"><time datetime="2024-06-06T21:00:00Z">Thu, 06/06/2024 - 17:00</time>
</div>
</div>
<div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above">
<div class="field__label">Featured Event</div>
<div class="field__item">Off</div>
</div>
<div class="field field--name-field-resource-image field--type-entity-reference field--label-above">
<div class="field__label">Featured Image</div>
<div class="field__item"><a href="/media/image/19756" hreflang="en">it-web-security-summit-johannesburg-2024-event.jpg</a></div>
</div>
<div class="field field--name-field-resource-link field--type-link field--label-above">
<div class="field__label">Link</div>
<div class="field__item"><a href="https://www.itweb.co.za/event/itweb-security-summit/" target="_blank">Register Now</a></div>
</div>
<div class="field field--name-field-event-location field--type-entity-reference field--label-above">
<div class="field__label">Event Location</div>
<div class="field__item"><a href="/vc-event-location/global" hreflang="en">Global</a></div>
</div>
<div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above">
<div class="field__label">Event Type</div>
<div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div>
</div>
<div class="field field--name-field-use-new-template field--type-list-string field--label-above">
<div class="field__label">Use new template</div>
<div class="field__item">No</div>
</div>
</description>
<pubDate>Thu, 21 Mar 2024 14:02:02 +0000</pubDate>
<dc:creator>Shafraz.Kamil@2x.marketing</dc:creator>
<guid isPermaLink="false">65106 at https://www.veracode.com</guid>
</item>
<item>
<title>GISEC Global 2024</title>
<link>https://www.veracode.com/node/65101</link>
<description>
<span>GISEC Global 2024</span>
<span><span lang="" about="/users/shafrazkamil2xmarketing" typeof="schema:Person" property="schema:name" datatype="" content="Shafraz.Kamil@2x.marketing">Shafraz.Kamil@…</span></span>
<span><time datetime="2024-03-21T09:56:17-04:00" title="Thursday, March 21, 2024 - 09:56">Thu, 03/21/2024 - 09:56</time>
</span>
<div class="field field--name-field-event-start-date field--type-datetime field--label-above">
<div class="field__label">Event Start Date</div>
<div class="field__item"><time datetime="2024-04-23T13:00:00Z">Tue, 04/23/2024 - 09:00</time>
</div>
</div>
<div class="field field--name-field-event-end-date field--type-datetime field--label-above">
<div class="field__label">Event End Date</div>
<div class="field__item"><time datetime="2024-04-25T21:00:00Z">Thu, 04/25/2024 - 17:00</time>
</div>
</div>
<div class="field field--name-field-resource-featured-resource field--type-boolean field--label-above">
<div class="field__label">Featured Event</div>
<div class="field__item">Off</div>
</div>
<div class="field field--name-field-resource-image field--type-entity-reference field--label-above">
<div class="field__label">Featured Image</div>
<div class="field__item"><a href="/media/image/19751" hreflang="en">gisec-global-2024-event.jpg</a></div>
</div>
<div class="field field--name-field-resource-link field--type-link field--label-above">
<div class="field__label">Link</div>
<div class="field__item"><a href="https://gisec.ae/" target="_blank">Register Now</a></div>
</div>
<div class="field field--name-field-event-location field--type-entity-reference field--label-above">
<div class="field__label">Event Location</div>
<div class="field__item"><a href="/vc-event-location/global" hreflang="en">Global</a></div>
</div>
<div class="field field--name-field-vc-event-type field--type-entity-reference field--label-above">
<div class="field__label">Event Type</div>
<div class="field__item"><a href="/vc-event-type/person" hreflang="en">In-Person</a></div>
</div>
<div class="field field--name-field-use-new-template field--type-list-string field--label-above">
<div class="field__label">Use new template</div>
<div class="field__item">No</div>
</div>
</description>
<pubDate>Thu, 21 Mar 2024 13:56:17 +0000</pubDate>
<dc:creator>Shafraz.Kamil@2x.marketing</dc:creator>
<guid isPermaLink="false">65101 at https://www.veracode.com</guid>
</item>
</channel>
</rss>