All geek questions in one place

How to write a language fortification of special rules?

I create some custom rules using Fortify, but I wonder if there is a way to configure these rules so that they can be language specific.

The reason for this is the ability to provide custom descriptions in Java and .NET for SQL injections, for example, and custom references so that they can be language specific.

Fortify seems to map custom rules into categories, but the problem arises when we have two packages: one for .NET and the other for Java, and both of them provide a category called Cross-Site Scripting.

Do you guys know how to make these rules language specific?

Thanks.

0
source share
1

, :

<StructuralRule formatVersion="3.8" language="dotnet">
                <RuleID>1537A69A-F7EA-4D14-9F8F-0CC17806780A</RuleID>
                <VulnKingdom>Input Validation and Representation</VulnKingdom>
                <VulnCategory>SQL Injection</VulnCategory>
                <DefaultSeverity>2.0</DefaultSeverity>
                <Description></Description>
                <Predicate><![CDATA[
                    FunctionCall fc: fc.function is [Function f: f.name == "set_CommandText" and 
                                                                 f.enclosingClass.supers contains [Class c: c.name == "System.Data.IDbCommand"]] and
                                     not fc.enclosingFunction contains [FunctionCall call: call.function is 
                                                    [Function f1: f1.name == "set_CommandType" and
                                                                  f1.enclosingClass.supers contains [Class c1: c1.name == "System.Data.IDbCommand"]] and
                                                                        call.arguments[0].constantValue == 4]
                ]]></Predicate>
</StructuralRule>
0

Source: https://habr.com/ru/post/1616722/

More articles:


All Articles