SV.UMD.MAIN
This error occurs when a main method is detected in web applications, J2EE applications, and applets.
Vulnerability and risk
Leaving main() methods behind in a web application allows easy back-door access to the application. Security designs in web applications tend not to consider main method access and therefore are a risk.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Remove all main methods in production code.
Example 1
public class SV_UMD_MAIN_Sample_1 extends HttpServlet {
public void doGet(HttpServletRequest req,
HttpServletResponse res) throws ServletException,
IOException {
res.setContentType("text.htm");
PrintWriter out = res.getWriter();
String name = req.getParameter("name");
out.println("<HTML>");
out.println("<HEAD><TITLE>Hello, " + name
+ "</TITLE></HEAD>");
out.println("<BODY>");
out.println("Hello, " + name);
out.println("</BODY></HTML>");
}
public String getServletInfo() {
return "A servlet that knows "
+ "the name of the person to whom it's"
+ "saying hello";
}
private void work() {
// test some code within our application
}
// leaving this around is unwanted once in production
public static void main(String[] args) {
SV_UMD_MAIN_Sample_1 ex = new SV_UMD_MAIN_Sample_1();
// test that our code is working
ex.work();
}
}SV.UMD.MAIN is reported for line 38: The main() method definition provides entry point to the application, remove all unused main methods.
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
