In my project we are using pdf.js from Mozilla, Now the fortify scan plaints about "Hardcoded Encryption Key" .See the below image

Please provide some help on this.Using version 2 of pdf.js

In my project we are using pdf.js from Mozilla, Now the fortify scan plaints about "Hardcoded Encryption Key" .See the below image

Please provide some help on this.Using version 2 of pdf.js

• javascript
• jquery
• pdf
• mozilla
• fortify

Share Improve this question Follow asked Jul 5, 2019 at 5:55 Anoop M NairAnoop M Nair 1,08722 gold badges1414 silver badges3636 bronze badges 2

• 3 I have the feeling this is a false positive, and that it detects those lines by scanning for a field that starts with key – Ferrybig Commented Jul 5, 2019 at 6:15
• 2 Fortify is notorious for needing tweaks to the rules to stop flagging safe code. So, yeah - it seems this is one of those cases. – VLAZ Commented Jul 5, 2019 at 6:17

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 5

Fortify has used semantic analyzer which did a grep for the word "key". So this accounts that the value which in this case is key is a variable name. Fortify identified the word, 'key' as encryption key. So you can make this case to a false positive.

The semantic analyzer of fortify is very notorious for false positives. If you want a more automated solution, Fortify is not the right tool.

I have also faced this issue. Whenever fortify scans the application, it looks for some specific fields like "key" or "password" and its analyzer will start plaining with "Hardcoded Encryption Key" or "Password Management: Hardcoded Password".

Refer the below link for more information.