问题
I'm creating some customs rules using Fortify but I wonder if there is any way to customise that rules so they can be language specific.
The reason for that is to be able to give custom descriptions in Java and in .NET about SQL injection for instance and Custom references so they can be language specific.
It seems like Fortify maps custom rules by category,but the issue comes when we have two packages , one for .NET and other for Java and both of them exposes a category called Cross-Site Scripting.
Do you guys know how to make this rules language-specific?
Thanks.
回答1:
Use the language attribute of the Rule like here:
<StructuralRule formatVersion="3.8" language="dotnet">
<RuleID>1537A69A-F7EA-4D14-9F8F-0CC17806780A</RuleID>
<VulnKingdom>Input Validation and Representation</VulnKingdom>
<VulnCategory>SQL Injection</VulnCategory>
<DefaultSeverity>2.0</DefaultSeverity>
<Description></Description>
<Predicate><![CDATA[
FunctionCall fc: fc.function is [Function f: f.name == "set_CommandText" and
f.enclosingClass.supers contains [Class c: c.name == "System.Data.IDbCommand"]] and
not fc.enclosingFunction contains [FunctionCall call: call.function is
[Function f1: f1.name == "set_CommandType" and
f1.enclosingClass.supers contains [Class c1: c1.name == "System.Data.IDbCommand"]] and
call.arguments[0].constantValue == 4]
]]></Predicate>
</StructuralRule>
来源:https://stackoverflow.com/questions/18521120/how-to-write-fortify-custom-rules-language-specific