This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Highlighted
Amrityam_Rout
Respected Contributor.. Respected Contributor..
Respected Contributor..
‎2020-05-15 17:59
243 views

Fortify custom rules to detect spring boot misconfiguration in application-property.yml file

Anyone has any experience writing Fortify SCA custom rules to detect spring boot misconfiguration in YML file?

I have tried creating a rule for yml file but it looks like it is not supporting.Same rule works fine with respect to .properties file.I am attaching screenshots for your reference.

 

[error]: Rules file C:\installation\Samples\advanced\customrules\configuration\configuration_rules.xml has an error at line -1, column -1: The following error occured while trying to unmarshal field _type of class com.fortify.io.rule.ConfigFile.

For example as per the attached screenshot if show-details: ALWAYS then I want to flag this as a vulnerability.

 

@ebell

Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
1 Reply
Highlighted
ebell
Micro Focus Expert
Micro Focus Expert
‎2020-05-18 16:57

Re: Fortify custom rules to detect spring boot misconfiguration in application-property.yml file

@Amrityam_Rout I do not have extensive experience with creating custom rules in SCA; however, in researching the error there are a number of reasons (e.g., syntax error in rule).

In the Custom Rules Editor when creating a Configuration Rule there are only two options available: properties and xml. This could be the reason for your syntax error:

 

ebell_0-1589817437233.png

 

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.