Reputation: 169
SqlConnection - Veracode scan cwe-15: external control of system or configuration issue
In an Azure function, I am creating a SQL connection by accessing an Azure function configuration setting mydbconstring which is a keyvault reference setting. So this mydbconstring is secured information since it is stored in keyvault. I am using below code to create the SqlConnection in the Azure function.
using (SqlConnection con = new SqlConnection(Environment.GetEnvironmentVariable("mydbconstring", EnvironmentVariableTarget.Process)))
{
// code here
}
In the Veracode scan we get below high severity issue cwe-15: external control of system or configuration for the above line.
But how this actually a issue when I have the connection string as a keyvault reference configuration in function app which I think is secured. Is there any need for mitigation here or is it a false positive. If mitigation is required - then what should be the approach for the fix?
Upvotes: 1
Views: 334
Answers (0)
Related Questions
- Why does Veracode report CWE-89?
- veracode error CWE-454: external initialization
- Veracode issue CWE 915
- External Control of System or Configuration Setting (CWE ID 15)
- Please help Veracode issuing CWE 15 External Control of System or Configuration Setting n file name
- Azure Function BlobTrigger connection from KeyVault
- External Control of System or Configuration Setting