The REFDOC application stores and retrieves data from the CC_REFDOC database hosted at DNS.URL , the Field Reporting Enclave of the Corporate Data Warehouse run by the Business Intelligence Service Line and hosted by Enterprise Operations. These entities are all within the VA and are providing data and services on behalf of the VA in accordance with the requirements of the VA.
There are no SQL Injection vulnerabilities identified by Fortify at any severity level.
There are two different origins of the information that can be retrieved from this database. The first is the sibling datbase CDWWork which is a relational data warehouse copy of the data that is in the electronic medical record. Anything from CDWWork is treated as trustworthy and correct.
The second source is data that was previously entered by the application, or was set up as part of application configuration. Data that is entered in these local tables is derived from data from CDWWork (and thus trusted), is timestamps generated by the application or database for logging purposes, or is validated against data from CDWWork before it is entered.
No other applications have access to this database and connection strings are encrypted per EWIS hosting policy.