Vulnerability

Sensitive SYS owned functions should not be used

Description

    The rule "Sensitive SYS owned functions should not be used" in PL/SQL code means that functions owned by the SYS user should not be used in PL/SQL code. These functions are considered sensitive because they can have a significant impact on the system, and can be used to access sensitive information. Therefore, it is important to ensure that these functions are used only when absolutely necessary, and with the proper security measures in place.

Key Benefits

  • Increased Security: Sensitive SYS owned functions should not be used to help protect against malicious attacks and unauthorized access.
  • Reduced Risk: By avoiding the use of sensitive SYS owned functions, the risk of data loss or corruption is minimized.
  • Improved Performance: Using less sensitive SYS owned functions can help improve system performance.

 

Non-compliant Code Example

DECLARE
 input NUMBER;
 result NUMBER;
 sys_user_id NUMBER;
BEGIN
	sys_user_id:=0;
	input:=sys.dbms_sql.open_cursor();
	--Non compliant code (SYS owned function is used sys.dbms_sys_sql)
	sys.dbms_sys_sql.parse_as_user(input, 'begin
										dbms_output.put_line(sys_context(''userenv'',''current_user''));
									   end;', dbms_sql.native, sys_user_id);
	result:=dbms_sql.execute(input);
	dbms_sql.close_cursor(input);
END;
Visual Expert 2023
 VEPLSQLRULE138