SV.UMD.MAINThis error occurs when a main method is detected in web applications, J2EE applications, and applets. Vulnerability and riskLeaving main() methods behind in a web application allows easy back-door access to the application. Security designs in web applications tend not to consider main method access and therefore are a risk. Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error. Mitigation and preventionRemove all main methods in production code. Example 115 public class SV_UMD_MAIN_Sample_1 extends HttpServlet {
16 public void doGet(HttpServletRequest req,
17 HttpServletResponse res) throws ServletException,
18 IOException {
19 res.setContentType("text/html");
20 PrintWriter out = res.getWriter();
21 String name = req.getParameter("name");
22 out.println("<HTML>");
23 out.println("<HEAD><TITLE>Hello, " + name
24 + "</TITLE></HEAD>");
25 out.println("<BODY>");
26 out.println("Hello, " + name);
27 out.println("</BODY></HTML>");
28 }
29 public String getServletInfo() {
30 return "A servlet that knows "
31 + "the name of the person to whom it's"
32 + "saying hello";
33 }
34 private void work() {
35 // test some code within our application
36 }
37 // leaving this around is unwanted once in production
38 public static void main(String[] args) {
39 SV_UMD_MAIN_Sample_1 ex = new SV_UMD_MAIN_Sample_1();
40 // test that our code is working
41 ex.work();
42 }
43 }
SV.UMD.MAIN is reported for line 38: The main() method definition provides entry point to the application, remove all unused main methods. |