UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Cadet 3rd Class
Cadet 3rd Class
4939 views

How can I filter by specific taint source in fortify sca custom rules?

Hi

If we can trust the data from database and property file, can we filter the vulnerabilities from the taint source DATABASE and  PROPERTY by custom rule? We want to use the -rules custom-rules.xml in sourceanalyzer  command to filter the vulnerability at the analysis phrase.

Regards,

Steven

0 Likes
1 Reply
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

The easiest way to do this is with filters instead of custom rules. In general if you want to remove issues you should use filters, to discover new vulnerabilities or add support for unsupported 3rd party libraries, use custom rules.

You can remove issues where the untrusted data source is the database or a property file with the following filters.

In AWB

Try the following in Audit Guide:

Audit Guide -> Advanced -> Property File Inputs + Database Inputs

That creates two visibility filters that will filter dataflow issues where the untrusted source of input is the database or a property file. These filters can be exported as a project template and applied to all future projects by using that project template in SSC or by applying it to an fpr in AWB.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.