fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thisura Philips <ttcphil...@gmail.com>
Subject Fwd: [Mifos-developer] Application for GSOC 2017( Static Analysis of Apache Fineract )
Date Mon, 10 Apr 2017 04:28:26 GMT
[Adding fineract dev.]
---------- Forwarded message ----------
From: Thisura Philips <ttcphilips@gmail.com>
Date: Mon, Apr 10, 2017 at 12:04 AM
Subject: Re: [Mifos-developer] Application for GSOC 2017( Static Analysis
of Apache Fineract )
To: Nikhil Pawar <nickrp89@gmail.com>
Cc: Mifos software development <mifos-developer@lists.sourceforge.net>


Hi Nikhil,

I have attended all the 293 vulnerabilities reported as on 8/4/2017. Here
<https://docs.google.com/spreadsheets/d/1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4/edit?usp=sharing>
[1]
I have created a spreadsheet by attending all the vulnerabilities.
Some of them are false positives. The true vulnerabilities should be
prioritized and fixed.  I will open a thread for critical vulnerabilities
to discuss and find a solution.

As the next step I will work on two things.

1. Scan the codebase using OWASP LAPSE
2. Integrating TOIF

Please let me know if we have a better plan,


[1] https://docs.google.com/spreadsheets/d/1uLk3YPcjnXk7RqF8etsTzIuN59CDU
6sgBxpZul__1V4/edit?usp=sharing

On Sun, Apr 2, 2017 at 11:37 PM, Nikhil Pawar <nickrp89@gmail.com> wrote:

> Hello Thisura,
>
> This looks good. All the best.
>
> Regards,
> Nikhil
>
>
> ------------------------------
> *From:* Thisura Philips <ttcphilips@gmail.com>
> *To:* Mifos software development <mifos-developer@lists.sourceforge.net>
> *Cc:* Nikhil Pawar <nickrp89@gmail.com>
> *Sent:* Sunday, 2 April 2017 8:30 AM
> *Subject:* Re: [Mifos-developer] Application for GSOC 2017( Static
> Analysis of Apache Fineract )
>
> Hi Nikhil,
>
> I updated the document with the tools and rough plan of scanning modules.
> Could you please check that and let me know whether it is ok?
>
> Thanks and Regards.
>
> On Sun, Apr 2, 2017 at 11:07 AM, Thisura Philips <ttcphilips@gmail.com>
> wrote:
>
> Hi Nikhil and Sendhoro,
>
> Thank you very much for the feedback. I will do the needful.
>
>
>
> On Sun, Apr 2, 2017 at 10:42 AM, <sendoro@singo.co.tz> wrote:
>
> Hi Thisura,
>
> Sounds great with additional comment from Nikhil!
>
> Regards
> Sendoro
>
>
> On 2017-04-01 15:29, Thisura Philips wrote:
> > Hi Nikhil,
> >
> > I have created draft proposal at [1]. Sorry for waiting this late to
> > give the draft. Kindly go through that and let me know any things need
> > to be updated, if you have some time. Highly appreciate your
> > suggestions to make it a better proposal.
> >
> > [1]
> > https://docs.google.com/docume nt/d/1q5Z1mWjoi8bTsV6pMzAXPlth
> mcYCTBDE9Ee_bzRt95Q/edit?usp=s haring
> <https://docs.google.com/document/d/1q5Z1mWjoi8bTsV6pMzAXPlthmcYCTBDE9Ee_bzRt95Q/edit?usp=sharing>
> > [27]
> >
> > Best Regards
> >
> > On Fri, Mar 31, 2017 at 12:47 AM, Thisura Philips
> > <ttcphilips@gmail.com> wrote:
> >
> >> Hi Nikhil,
> >> Understood the fact. I am really excited to start working on these.
> >> Sorry about not bouncing back with the proceedings. Spent a little
> >> bit time getting familiar with code.
> >> I have sent few PRs and played with community app, debugged the code
> >> to get my handson with OpenMF and Fineract.
> >> Will be spending creating a proposal (as the closing date is coming)
> >> and will get back to work after submitting the proposal.
> >> Thanks again for your great help.
> >>
> >> Best Regards,
> >>
> >> On Sat, Mar 25, 2017 at 11:37 PM, Nikhil Pawar <nickrp89@gmail.com>
> >> wrote:
> >>
> >> Hello Thisura,
> >>
> >> Good Work. Currently there are no tickets logged as nobody did
> >> static analysis on the code.
> >> Once you have the findings, you should prioritize them and do deeper
> >> analysis.
> >> In our case, findings in 5th point are of course of higher priority,
> >> so we should take a second look at them and rule out in case of
> >> false positive. Suppose you find them as true positive, you should
> >> open a ticket and fix them.
> >>
> >> Regarding, your question of including sonarqube as build plugin,it
> >> has already been done along with PMD and findbugs.
> >>
> >> Regards,
> >> Nikhil
> >>
> >> -------------------------
> >> FROM: Thisura Philips <ttcphilips@gmail.com>
> >> TO: "nickrp89@gmail.com" <nickrp89@gmail.com>
> >> CC: Mifos Software Development
> >> <mifos-developer@lists.sourcef orge.net
> <mifos-developer@lists.sourceforge.net>>
> >> SENT: Wednesday, 22 March 2017 1:57 PM
> >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static
> >> Analysis of Apache Fineract )
> >>
> >> Hi Nikhil,
> >>
> >> The summarized vulnerabilities are as follows. The fifth one seems
> >> to be more or less false positive. We can surely improve the
> >> reported vulnerabilities with the proposed solution. What do you
> >> think?
> >>
> >> *
> >> Mutable fields should not be "public static"
> >>
> >> *
> >> MITRE, CWE-582 [1] - Array Declared Public, Final, and Static
> >> *
> >> MITRE, CWE-607 [2] - Public Static Final Field References Mutable
> >> Object
> >>
> >> Solution - Make the respective members protected. If they are in a
> >> class move them to a separate class and lower the visibility.
> >>
> >> *
> >> "static final" arrays should be "private"
> >>
> >> *
> >> MITRE, CWE-582 [1] - Array Declared Public, Final, and Static
> >> *
> >> MITRE, CWE-607 [2] - Public Static Final Field References Mutable
> >> Object
> >>
> >> Solution - Make the array private
> >>
> >> *
> >> Generic exceptions should never be thrown
> >>
> >> *
> >> MITRE, CWE-397 [3] - Declaration of Throws for Generic Exception
> >>
> >> Solution - Define and throw a dedicated exception instead of using
> >> a generic one.
> >>
> >> *
> >> Throwable and Error should not be caught
> >>
> >> *
> >> MITRE, CWE-396 [4] - Declaration of Catch for Generic Exception
> >> *
> >> CERT, ERR07-J [5] - Do not throw RuntimeException, Exception, or
> >> Throwable
> >>
> >> Solution - Catch Exception instead of Throwable.
> >>
> >> *
> >> Credentials should not be hard-coded
> >>
> >> *
> >> MITRE, CWE-798 [6] - Use of Hard-coded Credentials
> >> *
> >> MITRE, CWE-259 [7] - Use of Hard-coded Password
> >> *
> >> SANS Top 25 [8] - Porous Defenses
> >> *
> >> OWASP Top Ten 2013 Category A2 [9] - Broken Authentication and
> >> Session Management
> >> *
> >> Derived from FindSecBugs rule Hard Coded Password [10]
> >>
> >> Solution - Credentials should not be hard-coded.
> >> Note: This is more or less false positive. We can reduce the time
> >> frame of discovering the passwords by storing them in a char array
> >> and cleaning them just after the use.
> >>
> >> *
> >> "public static" fields should be constant
> >>
> >> *
> >> MITRE, CWE-500 [11] - Public Static Field Not Marked Final
> >> *
> >> CERT OBJ10-J [12] - Do not use public static nonfinal variable
> >>
> >> Solution - Make the respective field final
> >>
> >> *
> >> Throwable.printStackTrace should not be called
> >>
> >> Solution - Use a logger to log this exception.
> >>
> >> *
> >> "enum" fields should not be publicly mutable
> >>
> >> Solution - Lower the visibility of the setter. Remove it
> >> altogether.
> >>
> >> I am maintaining one doc for the summary [1]. Will update this
> >> document with the results of other tools. Also will prepare an excel
> >> sheet to track these with the PR fixing these issues.
> >>
> >> Is there a respective ticket to work on these at the moment? Kindly
> >> let me know.
> >>
> >> [1]
> >>
> > https://docs.google.com/docume nt/d/1TdwwHM2K1gMb6qILEX7gmzU8
> dVXcHGBdh569aFJfB2U/edit?usp=s haring
> <https://docs.google.com/document/d/1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U/edit?usp=sharing>
> >> [13]
> >>
> >> Thanks and regards.
> >>
> >> On Wed, Mar 22, 2017 at 11:46 AM, Nikhil Pawar <nickrp89@gmail.com>
> >> wrote:
> >> It's​ ok to continue the discussion regarding static analysis in
> >> this thread. We generally create different thread for different
> >> topic.
> >>
> >> Regards,
> >> Nikhil
> >>
> >> Sent from Yahoo Mail on Android [14]
> >>
> >> On Tue, Mar 21, 2017 at 8:55 PM, Thisura Philips
> >> <ttcphilips@gmail.com> wrote:
> >>
> >> Hi Nikihil,
> >> Surely yes Nikhil. I wanted to give it a try and see, how it works
> >> with zap. :).
> >> Actually, in the first thought I had a doubt of having two
> >> projects,for dynamic and static scanning. Then I realized that we
> >> need two.
> >>
> >> I went through all of the 263 vulnerabilities and summarized them
> >> according to the reported vulnerability. (That is where I realized
> >> that we need two projects.)
> >>
> >> Shall I go ahead and start a thread for each of them, to discuss
> >> about the severity and the solution (for some CWE and CERT has
> >> suggested) or shall we start talking in one new thread. Still new to
> >> the community so would like to know the best practice.
> >>
> >> On Tue, Mar 21, 2017 at 6:57 AM, Nikhil Pawar <nickrp89@gmail.com>
> >> wrote:
> >>
> >> Hi Thisura,
> >>
> >> We have included rats and there was a discussion I remember wherein
> >> PMD and findbugs were to be integrated.
> >> I'll get back to you on this.I am not sure, how would that make your
> >> job easy.
> >> Scanning project part by part would be more easier I think.
> >> I saw your email regarding pen testing, kindly note both are
> >> different projects.
> >> As far as static analysis is concerned, you are expected lot more
> >> than just scanning your project.
> >>
> >> You would have to compare analysis from other tools as well.
> >> We can help after you are done with your analysis whether you should
> >> implement the change or not. ()
> >>
> >> I would recommend you to choose your project which is closely
> >> aligned to your skills and interests.
> >>
> >> Regards,
> >> Nikhil
> >>
> >> -------------------------
> >> FROM: Thisura Philips <ttcphilips@gmail.com>
> >> TO: Nikhil Pawar <nickrp89@gmail.com>
> >> CC: Mifos Software Development <mifos-developer@lists.
> >> sourceforge.net>
> >> SENT: Thursday, 16 March 2017 9:37 PM
> >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static
> >> Analysis of Apache Fineract )
> >>
> >> Hi Nikhil,
> >>
> >> I was able to scan the project using SonarQube 5.6 with the
> >> SonarLint plugin you provided. I have scanned mifo dev branch and
> >> pushed to my local repo.[1] I linked the SonarQube server and
> >> SonarLint plugin and got the report. ​​The generated report
> >> "sonarlintreport.zip"[2] is attached below.
> >>
> >> I have used gradle sonar plugin. I think we can apply the plugin if
> >> we are in the dev environment in graddle build. Let me know if we
> >> do. I will create a pull request.
> >>
> >> However the security vulnerabilities reported by the sonarqube is
> >> not seems to be with sonarlint generated report. (I have linked
> >> sonarqube with sonarlint as mentioned in [4]) Therefore I saved the
> >> sonarqube report html page and attached in [3]. I will find why it
> >> doesn't work as expected.
> >>
> >> There are 263 vulnerabilities reported in the mifos branch. I am
> >> currently going through each of them to see whether they are true.
> >> Will give an update based on the findings.
> >>
> >> [1] https://github.com/ ThisuraThejith/incubator-
> >> fineract/tree/devOMFSonar [15]
> >> [2] https://drive.google.com/file/ d/0B6WV3fK5Tak7RXFyWk5QM3AtVEU
> >> [16]
> >>
> >> [3] https://drive.google.com/ open?id= 0B6WV3fK5Tak7OHJENF9oZFE2X2c
> >> [17]
> >> [4] http://www.sonarlint.org/ commandline/ [18]
> >>
> >> Cheers!
> >> Best Regards.
> >>
> >> On Wed, Mar 15, 2017 at 2:55 PM, Thisura Philips
> >> <ttcphilips@gmail.com> wrote:
> >>
> >> Hi Nikhil,
> >>
> >> Thank you very much for the feedback.
> >>
> >> Yes sonar has ability to classify the findings based on OWASP or
> >> CWE. Will do the necessary to scan code base for security
> >> vulnerabilities.
> >> I am planning to run ZAP which is related to the penetration test
> >> project also.
> >>
> >> Will hang on to the good practice of having one commit in the PR. I
> >> updated the PR with one commit.
> >>
> >> Thanks again for the valuable feedback.
> >>
> >> Best Regards.
> >>
> >> On Wed, Mar 15, 2017 at 10:35 AM, Nikhil Pawar <nickrp89@gmail.com>
> >> wrote:
> >>
> >> ++ Mifos developers
> >>
> >> Hi Thisura,
> >>
> >> I saw your pull request and hence wanted to see your report.
> >> SonarQube is heavy weight it has dedicated database to store all
> >> your findings.I thought you are using sonarlint for command line.
> >> This plugin is quite handy and it will generate html reports for you
> >> without compromising on the version.
> >> SonarLint for Command Line [18]
> >>
> >> SONARLINT FOR COMMAND LINE
> >>
> >> Yes, we do follow coding styles and standards.
> >> Style is well defined and standard is open topic but community
> >> mostly adheres to Java coding standards.
> >> https://mifosforge.jira.com/wi ki/spaces/MIFOS/pages/4456933/
> >> Coding+Standards [19]
> >>
> >> For this project we are primarily focusing on the security issues
> >> and not coding style issues.
> >> The reason I wanted to see your report was to check if you have
> >> caught any security vulnerability.
> >>
> >> Based on your findings, you did a good job and I appreciate your
> >> hard work.
> >> But unfortunately, we are more interested in finding security
> >> issues.
> >> As far as I remember, Sonar has ability to classify the findings if
> >> it is OWASP or CWE..
> >> With this ability, you could take reference of CWE documentation.
> >> For example, if sonar says it has found CWE-375, you should go
> >> through the documentation of CWE-375, determine if it is security
> >> issue(generally labelled as CERT in case of CWEs). Once you have
> >> determined, it as security issue, open up a discussion with
> >> community, let us know your findings and research and then go ahead
> >> and fix it.
> >>
> >> Lastly when you submit a PR, you should have single commit.(it is a
> >> community standard)
> >> Even I did the same mistake when I had submitted my first PR :) .
> >>
> >> Let me know, if you have further queries.
> >>
> >> Regards,
> >> Nikhil
> >>
> >> -------------------------
> >> FROM: Thisura Philips <ttcphilips@gmail.com>
> >> TO: Nikhil Pawar <nickrp89@gmail.com>
> >> CC: "mifos-developer@lists. sourceforge.net" <mifos-developer@lists.
> >> sourceforge.net>
> >>
> >> SENT: Monday, 13 March 2017 2:41 PM
> >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static
> >> Analysis of Apache Fineract )
> >>
> >> Hi Nikhil,
> >> I used sonarqube 6.2 with sonar lint idea plugin to scan the
> >> project. The PR at [1] is based on that.
> >>
> >> How ever, I couldn't find a plugin which could support sonarqube 6.2
> >> to generate a PDF report.
> >>
> >> There-fore I used sonarqube 4.5.7 along with the plugin at [2]. Here
> >> are the PDF reports for the apache incubator-fineract and mifos
> >> developer branches.
> >>
> >> BTW, can you please have a look at PR [1] [20] and let me know
> >> whether the changes done are important and how can we further
> >> improve the code.
> >>
> >> [1] https://github.com/apache/ incubator-fineract/pull/307 [20]
> >> [2] https://github.com/ SonarQubeCommunity/sonar-pdf- report/ [21]
> >>
> >> Thanks and regards
> >>
> >> On Sat, Mar 11, 2017 at 4:55 AM, Nikhil Pawar <nickrp89@gmail.com>
> >> wrote:
> >>
> >> Hey Thomas,
> >>
> >> Can you send me your sonar report.
> >> What did you use-SonarQube or Sonarlint?
> >>
> >> Regards,
> >> Nikhil
> >>
> >> -------------------------
> >> FROM: Thisura Philips <ttcphilips@gmail.com>
> >> TO: Nikhil Pawar <nickrp89@gmail.com>
> >> CC: "mifos-developer@lists. sourceforge.net" <mifos-developer@lists.
> >> sourceforge.net>
> >> SENT: Thursday, 9 March 2017 7:12 AM
> >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static
> >> Analysis of Apache Fineract )
> >>
> >> Hi Nikhil,
> >> I ran sonar against apache fineract and resolved reported issues in
> >> org.apache.fineract. accounting module.issues
> >> PR is sent at [1]. I have few problems.
> >>
> >> 1. Have we overrided the toString() for strings. (Which I think is
> >> no need.)
> >> 2. Do we have inhouse coding convention to have one line conditional
> >> clauses () (I raised this in the thread "Coding convention for
> >> conditional clauses")
> >>
> >> [1] https://github.com/apache/ incubator-fineract/pull/307 [20]
> >>
> >> On Fri, Mar 3, 2017 at 12:05 AM, Thisura Philips
> >> <ttcphilips@gmail.com> wrote:
> >>
> >> Hi Nikhil,
> >>
> >> Thank you very much for the invaluable tip.
> >>
> >> Ofcourse now I am playing with the code base and currently running
> >> sonarqube. Was thinking to run LAPSE as well. But with you tip
> >> thought of doing it with TOIF, since I haven't use TOIF before. Will
> >> get back with an update of results.
> >>
> >> BTW, I am willing to fix some issues and be more familiar with code
> >> base.
> >>
> >> Thanks & Regards
> >>
> >> On Thu, Mar 2, 2017 at 11:41 PM, Nikhil Pawar <nickrp89@gmail.com>
> >> wrote:
> >>
> >> Hello Thisura,
> >>
> >> Welcome to Mifos community. Happy to know that you want to
> >> contribute to Open Source and you are starting with us.
> >>
> >> When it comes to security, there is no tool which will give you
> >> total coverage. Also the results of different tool might not overlap
> >> for same piece of code. Combining output of multiple open source
> >> tools can potentially out perform the best licensed version in
> >> market. Hence we were thinking of using TOIF-total output
> >> integration framework. For details regarding our thoughts of static
> >> analysis please refer to the following link:
> >> https://mifosforge.jira.com/wi ki/display/projects/Static+Ana
> >> lysis+of+Apache+Fineract+Proje ct-+A+GSOC+project+idea [22]
> >>
> >> Apart from knowing static analysis tools, you should have some
> >> degree of understanding of our code base to effectively analyse it .
> >> Thus it would be really helpful, if you could resolve some bugs and
> >> provide fix for the same.
> >>
> >> Regards,
> >> Nikhil
> >>
> >> Sent from Yahoo Mail on Android [14]
> >>
> >> On Wed, Mar 1, 2017 at 1:08 PM, Thisura Philips
> >> <ttcphilips@gmail.com> wrote:
> >>
> >> Hi all,
> >>
> >> I am a second year undergrad from Sri Lanka Institute of Information
> >> Technology. I am interested in contributing to opensource world and
> >> seeking a opportunity to start the carrier with GSOC 2017.
> >>
> >> I have a special interest in computer and software security. I have
> >> used tools like Jlint, Findbugs, Sonarqube for code analyzing. While
> >> those tools are good to analyze coding best practices, I would
> >> prefer using OWASP LIPSE for Java based security analysis. If
> >> possible Veracode, Fortify (Static and dynamic) are better options,
> >> which cost a bit. :)
> >>
> >> I got an opportunity to work with veracode and fortify tools as well
> >> in a part time project. I ran code scanning against a java code and
> >> analyzed the reported vulnerabilities to check whether they are
> >> real.
> >>
> >> I am familiar with common attacks like buffer overflow, parameter
> >> tampering,URL tampering,header manipulation,cookie poisoning,SQL
> >> Injection,cross-site Scripting (XSS), cross site request forgery,
> >> HTTP response splitting,command injection,path traversal,XPath
> >> Injection,XML Injection (external entity attackck (XXE)),LDAP
> >> Injection.
> >>
> >> Also I am familiar with bad coding styles and practices which cause
> >> security vulnerabilities such as storing passwords in Strings (using
> >> hardcoded credentials), not closing database connections, not
> >> encoding user inputs properly, use of broken and risky algorithms
> >> such as MD-5 which get caught in fortify and veracode scan most of
> >> the times.
> >>
> >> And yes I am familiar with the respective resolutions also. :D
> >> I have experience in coding with good security coding practices. I
> >> took initiative in OpenMRS [1] [23] to check their vulnerabilities
> >> and fix some of them [2] [24].
> >>
> >> I would like to contribute to this project to start the opensource
> >> carrier. As the first step step I have started to scan Apache
> >> fineract project with OWASP LIPSE. I would highly appreciate your
> >> thoughts and guidance along with this.
> >>
> >> [1] https://talk.openmrs.org/t /using-owasp-lapse-and-zap-for
> >> -security-analysis/4257 [23]
> >> [2] https://github.com/openmrs /openmrs-core/pull/1643/ [24]
> >>
> >> --
> >>
> >> T.T.C Philips (BSc.Eng (Undergrad))
> >> Computer Science and Engineering,
> >> Sri Lanka Institute of Information Technology(SLIIT)
> >>
> >> ------------------------------ ------------------------------
> >> ------------------
> >> Check out the vibrant tech community on one of the world's most
> >> engaging tech sites, SlashDot.org! http://sdm.link/ slashdot [25]
> >> Mifos-developer mailing list
> >> mifos-developer@lists.sourcefo rge.net
> >> Unsubscribe or change settings at:
> >> Mifos-developer Info Page [26]
> >>
> >> MIFOS-DEVELOPER INFO PAGE
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> > --
> >
> > T.T.C Philips (BSc.Eng (Undergrad))
> > Computer Science and Engineering,
> > Sri Lanka Institute of Information Technology(SLIIT)
> >
> >
> >
> > Links:
> > ------
> > [1] http://cwe.mitre.org/data/defi nitions/582.html
> <http://cwe.mitre.org/data/definitions/582.html>
> > [2] http://cwe.mitre.org/data/defi nitions/607.html
> <http://cwe.mitre.org/data/definitions/607.html>
> > [3] http://cwe.mitre.org/data/defi nitions/397.html
> <http://cwe.mitre.org/data/definitions/397.html>
> > [4] http://cwe.mitre.org/data/defi nitions/396.html
> <http://cwe.mitre.org/data/definitions/396.html>
> > [5] https://www.securecoding.cert. org/confluence/x/BoB3AQ
> <https://www.securecoding.cert.org/confluence/x/BoB3AQ>
> > [6] http://cwe.mitre.org/data/defi nitions/798
> <http://cwe.mitre.org/data/definitions/798>
> > [7] http://cwe.mitre.org/data/defi nitions/259
> <http://cwe.mitre.org/data/definitions/259>
> > [8] http://www.sans.org/top25-soft ware-errors/
> <http://www.sans.org/top25-software-errors/>
> > [9]
> > https://www.owasp.org/index.ph p/Top_10_2013-A2-Broken_Authen
> tication_and_Session_Managemen t
> <https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management>
> > [10]
> > http://h3xstream.github.io/fin d-sec-bugs/bugs.htm#HARD_CODE_ PASSWORD
> <http://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD>
> > [11] http://cwe.mitre.org/data/defi nitions/500.html
> <http://cwe.mitre.org/data/definitions/500.html>
> > [12] https://www.securecoding.cert. org/confluence/x/QQBqAQ
> <https://www.securecoding.cert.org/confluence/x/QQBqAQ>
> > [13]
> > https://docs.google.com/docume nt/d/1TdwwHM2K1gMb6qILEX7gmzU8
> dVXcHGBdh569aFJfB2U/edit?usp=s haring
> <https://docs.google.com/document/d/1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U/edit?usp=sharing>
> > [14] https://overview.mail.yahoo.co m/mobile/?.src=Android
> <https://overview.mail.yahoo.com/mobile/?.src=Android>
> > [15]
> > https://github.com/ThisuraThej ith/incubator-fineract/tree/ devOMFSonar
> <https://github.com/ThisuraThejith/incubator-fineract/tree/devOMFSonar>
> > [16] https://drive.google.com/file/ d/0B6WV3fK5Tak7RXFyWk5QM3AtVEU
> <https://drive.google.com/file/d/0B6WV3fK5Tak7RXFyWk5QM3AtVEU>
> > [17] https://drive.google.com/open? id=0B6WV3fK5Tak7OHJENF9oZFE2X2 c
> <https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c>
> > [18] http://www.sonarlint.org/comma ndline/
> <http://www.sonarlint.org/commandline/>
> > [19]
> > https://mifosforge.jira.com/wi ki/spaces/MIFOS/pages/4456933/
> Coding+Standards
> <https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/4456933/Coding+Standards>
> > [20] https://github.com/apache/incu bator-fineract/pull/307
> <https://github.com/apache/incubator-fineract/pull/307>
> > [21] https://github.com/SonarQubeCo mmunity/sonar-pdf-report/
> <https://github.com/SonarQubeCommunity/sonar-pdf-report/>
> > [22]
> > https://mifosforge.jira.com/wi ki/display/projects/Static+Ana
> lysis+of+Apache+Fineract+Proje ct-+A+GSOC+project+idea
> <https://mifosforge.jira.com/wiki/display/projects/Static+Analysis+of+Apache+Fineract+Project-+A+GSOC+project+idea>
> > [23]
> > https://talk.openmrs.org/t/usi ng-owasp-lapse-and-zap-for-sec
> urity-analysis/4257
> <https://talk.openmrs.org/t/using-owasp-lapse-and-zap-for-security-analysis/4257>
> > [24] https://github.com/openmrs/ope nmrs-core/pull/1643/
> <https://github.com/openmrs/openmrs-core/pull/1643/>
> > [25] http://sdm.link/slashdot
> > [26] https://lists.sourceforge.net/ lists/listinfo/mifos-developer
> <https://lists.sourceforge.net/lists/listinfo/mifos-developer>
> > [27]
> > https://docs.google.com/docume nt/d/1q5Z1mWjoi8bTsV6pMzAXPlth
> mcYCTBDE9Ee_bzRt95Q/edit?usp=s haring
> <https://docs.google.com/document/d/1q5Z1mWjoi8bTsV6pMzAXPlthmcYCTBDE9Ee_bzRt95Q/edit?usp=sharing>
> >
> > ------------------------------ ------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >
> > Mifos-developer mailing list
> > mifos-developer@lists.sourcefo rge.net
> <mifos-developer@lists.sourceforge.net>
> > Unsubscribe or change settings at:
> > https://lists.sourceforge.net/ lists/listinfo/mifos-developer
> <https://lists.sourceforge.net/lists/listinfo/mifos-developer>
>
>
> ------------------------------ ------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> Mifos-developer mailing list
> mifos-developer@lists.sourcefo rge.net
> <mifos-developer@lists.sourceforge.net>
> Unsubscribe or change settings at:
> https://lists.sourceforge.net/ lists/listinfo/mifos-developer
> <https://lists.sourceforge.net/lists/listinfo/mifos-developer>
>
>
>
>
> --
> T.T.C Philips (BSc.Eng (Undergrad))
> Computer Science and Engineering,
> Sri Lanka Institute of Information Technology(SLIIT)
>
>
>
>
>
>
> --
> T.T.C Philips (BSc.Eng (Undergrad))
> Computer Science and Engineering,
> Sri Lanka Institute of Information Technology(SLIIT)
>
>
>
>
>
>


-- 
T.T.C Philips (BSc.Eng (Undergrad))
Computer Science and Engineering,
Sri Lanka Institute of Information Technology(SLIIT)






-- 
T.T.C Philips (BSc.Eng (Undergrad))
Computer Science and Engineering,
Sri Lanka Institute of Information Technology(SLIIT)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message