Diff: tools/VisualCodeGrepper-2.1.0/plsqlfunctions.conf

Revision:

1:efe9cad8942f

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/VisualCodeGrepper-2.1.0/plsqlfunctions.conf	Tue Mar 13 14:52:59 2018 +0300
@@ -0,0 +1,15 @@
+// Functions known to cause issues in PL/SQL code.
+// To add new issues use the format: function name[=>][[N]][description]
+//	(where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))
+//
+// NB - function names are *not* case-sensitive for this file
+//
+// Potential SQL Injection (uncomment the following two lines if you wish to identify every use of 'EXECUTE IMMEDIATE' and 'OPEN FOR')
+// With these lines commented, VCG will only report on use of these functions in conjunction with user-supplied variables.
+//EXECUTE IMMEDIATE=>[3]Allows the use of dynamic SQL statements which are potentially vulnerable to SQL injection, depending on the origin of input variables and opportunities for an attacker to modify them before they reach the procedure.
+//OPEN FOR=>[3]Allows the use of dynamic SQL statements which are potentially vulnerable to SQL injection, depending on the origin of input variables and opportunities for an attacker to modify them before they reach the procedure.
+
+// Poor error handling
+WHEN OTHERS THEN=>[3]The code contains catch-all error blocks which can result in unpredictable outcomes during processing, resulting in an increased risk of data corruption.
+
+