Vulnerability Remediation

Vulnerabilities detected by HoundDog.ai can be fixed one of two ways:

Code Removal

Some vulnerabilities come from logging or streaming sensitive data to stdout or stderr. These are usually safe to fix by removing the logging or print statement completely. Example:

Before

Python
    
 
# Vulnerable: printing sensitive user input
print("User email:", user_email)
Copy

After

Python
    
 
# Fixed: logging removed completely
Copy

Other cases involve data that must remain in the code, such as sending a user data to a monitoring tool like Datadog. In these situations, complete removal could cause unintended consequences, so the safer approach is to sanitize the value before use. This might involve redaction, masking, or encryption depending on the sensitivity of the data.

Before

Javascript
    
 
// Vulnerable: raw user input sent to monitoringconst userId = req.body.userId;datadog.trackEvent("login_attempt", { userId });
Copy

After

Javascript
    
 
// Fixed: input sanitized and stored with a prefixed variable nameconst sanitizedUserId = sanitize(req.body.userId);datadog.trackEvent("login_attempt", { userId: sanitizedUserId });
Copy

Auto-Closing Issues

To ensure the scanner auto-closes the vulnerability after remediation, the variable name in the fixed version of the code must begin with sanitized. Use the style that matches your language or project:

sanitizedUserId (camelCase)
sanitized_user_id (snake_case)
SanitizedUserId (PascalCase)

Last updated on

Vulnerability Remediation

Code Removal

Data Sanitization

Auto-Closing Issues