Could Fortify help us to scan the issue of Redos ( Regular Expression Deny of Service ) ?
Currently we write a simple "bad" regular expression and scan the project with fortify. we could not get the scan issue from fortify.... just to confirm, can we get ReDos issue from fortify ? if yes... how ?
There are rules for this category of vulnerability, as shown on vulncat: https://vulncat.hpefod.com/en/detail?id=desc.dataflow.java.denial_of_service_regular_expression#Java%2fJSP
If you think there is a false negative (i.e. SCA should be reporting a vulnerability on your use of regular expressions, but isn't), I recommend opening a support case (email firstname.lastname@example.org or login to https://support.fortify.com) and send us some sample code which should be triggering that vulnerability.
We can check into it, make sure you're using some supported APIs, and if necessary involve our Security Research Group who write the rules.
Fortify L3 support engineer
Fortify is able to find potential REDOS, but only when SCA detects that REGEX pattern is defined (fully or partially) upon invalidated user input. That is because REDOS rules are actually Data Flow rules more than semantic rules that evaluate all of your application REGEX.
If you want that fortify evaluate all of your statically defined REGEX patterns to check potential REDOS, you can write a Semantic Rule to use in future scans.
Hope this be useful.