Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Amrityam_Rout
Captain Captain
Captain
‎2020-05-15 17:59
656 views

Fortify custom rules to detect spring boot misconfiguration in application-property.yml file

Anyone has any experience writing Fortify SCA custom rules to detect spring boot misconfiguration in YML file?

I have tried creating a rule for yml file but it looks like it is not supporting.Same rule works fine with respect to .properties file.I am attaching screenshots for your reference.

 

[error]: Rules file C:\installation\Samples\advanced\customrules\configuration\configuration_rules.xml has an error at line -1, column -1: The following error occured while trying to unmarshal field _type of class com.fortify.io.rule.ConfigFile.

For example as per the attached screenshot if show-details: ALWAYS then I want to flag this as a vulnerability.

 

@ebell

Labels (1)
Labels
Preview file
39 KB
Preview file
46 KB
Preview file
52 KB
0 Likes
Reply
Report Inappropriate Content
1 Reply
ebell
Micro Focus Expert
Micro Focus Expert
‎2020-05-18 16:57

@Amrityam_Rout I do not have extensive experience with creating custom rules in SCA; however, in researching the error there are a number of reasons (e.g., syntax error in rule).

In the Custom Rules Editor when creating a Configuration Rule there are only two options available: properties and xml. This could be the reason for your syntax error:

 

ebell_0-1589817437233.png

 

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.