How can I filter by specific taint source in fortify sca custom rules?
If we can trust the data from database and property file, can we filter the vulnerabilities from the taint source DATABASE and PROPERTY by custom rule? We want to use the -rules custom-rules.xml in sourceanalyzer command to filter the vulnerability at the analysis phrase.
The easiest way to do this is with filters instead of custom rules. In general if you want to remove issues you should use filters, to discover new vulnerabilities or add support for unsupported 3rd party libraries, use custom rules.
You can remove issues where the untrusted data source is the database or a property file with the following filters.
Try the following in Audit Guide:
Audit Guide -> Advanced -> Property File Inputs + Database Inputs
That creates two visibility filters that will filter dataflow issues where the untrusted source of input is the database or a property file. These filters can be exported as a project template and applied to all future projects by using that project template in SSC or by applying it to an fpr in AWB.