...
Passing untrusted, unsanitized data to the Runtime.exec() method can result in command and argument injection attacks.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
IDS07-J | High | Probable | Yes | NoMedium | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
| CodeSonar |
| JAVA.IO.INJ.COMMAND | Command Injection (Java) | ||||||
| Coverity | 7.5 | OS_CMD_INJECTION | Implemented | ||||||
| Klocwork |
| SV.EXEC SV.EXEC.DIR SV.EXEC.ENV SV.EXEC.LOCAL SV.EXEC.PATH | |||||||
| Parasoft Jtest |
| CERT.IDS07.EXEC | Do not use 'Runtime.exec()' | ||||||
| SonarQube |
| OS commands should not be vulnerable to injection attacks |
...