How do you configure HP Fortify SCA to mark database as trusted source?


HP Fortify consider database as untrusted source (Tainted source). Is there a way to configure HP Fortify to mark the database as trusted source (Untainted source). If yes what are the options here to do it?

One random thought I have (though I have not tried it) is to mark the getter method(s) of the Entity class (considering one is using hibernate) as safe for specific vulnerability (TaintedFlag) using dataflowcleansing rule. If that works (which I guess should work), then is that the recommended way to do it? Or is there a different approach to configure it in HP Fortify?

Can one mark complete database (all tables) as trusted or is there a way to specifically mark a table (or column) as trusted. It will be interesting to know pro and cons of these approach and what is recommended approach.




  • Hi,

    As I mentioned above, I attempted to write a dataflowcleanse rule to one of the getter method of the Entity class that maps to a column of a table in database. It worked out and HP Fortify SCA did not mark the security vulnerability for which the dataflowcleanse rule was added.

    However I am still interested to know if there other ways (configurations) possible in HP Fortify to mark database as a trusted source as the above approach is not a viable options for numous table and columns the application can have.

    I do not know if this the right forum for developers exchange and share knowledge and experience. Is there any other forum too where one should post such queries?



  • You might be able to annotate persistable objects using Fortify annotations as well. I've had varying degrees of success using the annotations, but it might be something to look into.