Hello Simon,
These log statements are intended to be there. There has been an effort
[1] to redact any sensitive information from any logging within the
library, but there is no plan to remove these statements. Should you
need to, you could certainly remove these statements and compile the
library yourself.
[1]
https://github.com/sqlcipher/android-database-sqlcipher/commit/701fc6e02f97fe7b98860c330330689063468136
On 11/21/14 2:00 PM, Simon Tse wrote:
> Hello. I have been using SQLCipher for a while but have in recent times
> had to submit my code through Veracode scans to check for security
> levels. I got a bunch of medium violations that I am on the hook for
> fixing. The description is as such
>
> Improper Output Neutralization for Logs (CWE ID 117)(17 flaws)
>
> Description
>
> A function call could result in a log forging attack. Writing
> unsanitized user-supplied data into a log file allows an attacker to
> forge log entries or inject malicious content into log files. Corrupted
> log files can be used to cover an attacker's tracks or as a delivery
> mechanism for an attack on a log viewing or processing utility. For
> example, if a web administrator uses a browser-based utility to review
> logs, a cross-site scripting attack might be possible.
>
> * net/.../database/SQLiteCursor.java 591
> * net/.../SQLiteDatabase.java 404
> * net/.../SQLiteDatabase.java 505
> * net/.../SQLiteDatabase.java 881
> * net/.../SQLiteDatabase.java 1489
> * net/.../SQLiteDatabase.java 1528
> * net/.../SQLiteDatabase.java 1631
> * net/.../SQLiteDatabase.java 1634
> * net/.../SQLiteDatabase.java 1773
> * net/.../SQLiteDatabase.java 1780
> * net/.../SQLiteDatabase.java 1892
> * net/.../SQLiteDatabase.java 2096
> * net/.../SQLiteDatabase.java 2118
> * net/.../SQLiteDatabase.java 2128
> * net/.../SQLiteDatabase.java 2157
>
> I also found another which is
>
> External Control of File Name or Path (CWE ID 73)
>
> * net/.../SQLiteDatabase.java 414 x2
> * net/.../SQLiteDatabase.java 885
>
> There is more that I found. What I am wondering is what is the
> SQLCipher's position on these are are these things they can be changed?
>
> Simon
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "SQLCipher Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
sqlcipher+...@googlegroups.com
> <mailto:
sqlcipher+...@googlegroups.com>.
> For more options, visit
https://groups.google.com/d/optout.
--
Nick Parker