Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
244 views

Need help with setting up the Data flow cleanse rule to reduce some False Positives

Hi,

Per the previous Discussion thread here, I finally got a chance to look through the plugin source and determined the command-line -D parameter below is recognized by Fortify:

-Dfortify.sca.rules

I see evidence to that effect through the "sca-scan_FortifySupport" logs that the rule pack file got picked up during the scan phase. The FPR file that I received on the output step still has that Database Access Control High vulnerability. Can someone review the rule pack xml file and confirm to me if/what there is a problem with it?

I attached the xml file, and the screenshots that provide the details of the specific vulnerability that I am trying to stop from being reported on by Fortify. Am I completely off track with what I am trying to do here, it is definitely possible.

Maybe, there is a different process altogether for dev team to tell Fortify to reduce the noise from our scans.

0 Likes
1 Reply
Vice Admiral
Vice Admiral

I did not use cleanse rules yet, so it's nice to see one in a question and learn from it.  My guess on why it did not work would be that the input does not go into "findAll" before hitting the database.  The finding's suspicion was that the user input goes into the SQL statement without authorization checks such as whether the requested WHERE range is authorized for the session's user.  The "findAll" method appears to receive some database records as a result of the SQL statement (possibly in PageRequest).  It appears the findAll call filters the database results based on the additional predicates.  To address the finding's suspicion in an explicit way, one may try writing a method that will return true if the input parameters are authorized for the session's user, then calling the method before executing (or even constructing) the SQL query.  Then one would have to declare this method in the Fortify cleanse rule (I don't know if the Fortify checker can be told which return value indicates an authorization pass).  I never did this myself because I did not want to bother developers whose code unfortunately recycles every few years.  But having cleanse rules would seem to be superior to the ungrateful management of suppressions.

Tags (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.