i used fortify software scan web project , encountered great difficulties
issue:password management: password in html form
<input name="pin" type="password" data-rule-required="true" value="${pin}"> type="password" can let me show ** in html page user
how can modify issue?
fortify uses number of different analysis techniques on backend. more sophisticated, data , call analysis. others simplistic syntax analyses, looking unsafe functions.
one of syntax analyses rules looks word "password" anywhere in source files, surmising represent hard-coded password. however, variable named "password"/"pwd" or part of html (as in case). they're pretty quick review, , mark them "not issue" , suppress not turn in future scans.
