Fortify issues #318
Comments
|
I'm sorry, but what exactly are "fortify" issues, i.e., whence do these complaints arise? The lax processing, any type allowances and unbounded occurrence instances were all quite intentionally designed into the OVAL schemas. And they are also all quite irreversible without breaking backwards-compatibility. I am curious about the "undefined namespace". I believe all the namespaces are well-defined. |
|
Thanks for the reply. |
|
The "undefined namespace" issue is a side-effect of allowing the use of custom metadata schemas. This is a feature of OVAL as well. Using a tool such as Fortify to perform static analysis can be very useful, but you are still left with the burden of having to understand and interpret its output. If you do not believe that you can trust the schema-aware XML processor you've chosen to ingest OVAL content directly, you are free to create your own more restrictive schemas and live without the features that you've chosen to eliminate. But the OVAL community has no immediate plans to do so. |
|
Thanks Davic.
…On Fri, May 8, 2020 at 7:41 PM David Solin ***@***.***> wrote:
The "undefined namespace" issue is a side-effect of allowing the use of
custom metadata schemas. This is a feature of OVAL as well.
Using a tool such as Fortify to perform static analysis can be very
useful, but you are still left with the burden of having to understand and
interpret its output. If you do not believe that you can trust the
schema-aware XML processor you've chosen to ingest OVAL content directly,
you are free to create your own more restrictive schemas and live without
the features that you've chosen to eliminate. But the OVAL community has no
immediate plans to do so.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#318 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFRIKYIZZBGFXXHBVU42V7LRQQHJBANCNFSM4MP73VZQ>
.
|
|
My bad. Thanks David!
On Wed, May 27, 2020 at 2:10 PM Chaitrali Talegaonkar <[email protected]>
wrote:
… Thanks Davic.
On Fri, May 8, 2020 at 7:41 PM David Solin ***@***.***>
wrote:
> The "undefined namespace" issue is a side-effect of allowing the use of
> custom metadata schemas. This is a feature of OVAL as well.
>
> Using a tool such as Fortify to perform static analysis can be very
> useful, but you are still left with the burden of having to understand and
> interpret its output. If you do not believe that you can trust the
> schema-aware XML processor you've chosen to ingest OVAL content directly,
> you are free to create your own more restrictive schemas and live without
> the features that you've chosen to eliminate. But the OVAL community has no
> immediate plans to do so.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#318 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AFRIKYIZZBGFXXHBVU42V7LRQQHJBANCNFSM4MP73VZQ>
> .
>
|
Following fortify issues are reported on these xsd files. Are there any plans to fix these issues?
The text was updated successfully, but these errors were encountered: