SoftwareSecurity2013/Group 1/Custom Fortify Rules
Custom Fortify Rules
Fortify has support for working with PHP files. For a majority of the built-in methods, rules have been created to validate and scan the code. You can extend the set of rules to include rules about custom methods, resulting in less false positives during a scan. For future reference, this document will describe how to create new rules and reduce the number of false positives.
Step 1
Select a method in the right toolbar to generate a rule for it. Right click and select 'Generate Rule for Function'. You should see the dialog below where you can select a rule. In this case, we've selected 'Cross Site Script Validation Rule' for the pun_htmlspecialchars method. Click next.
Step 2
Since PHP isn't available, select Java. We've discovered this via the Code Scanning Command Line tool with the help switch. It outputs: Generic (Java, configuration, PHP, JavaScript, ASP/VBScript, VB6). Click next.
Step 3
Click next.
Step 4
In this case, the output of 'pun_htmlspecialchars' is safe, so select the return value. Click next.
Step 5
Select a file to save the new rule to and check 'Run a scan using this rulepack'. Click finish.
Step 6
A dialog will appear where you can initiate a new scan. A quick scan is enough to rescan all the current files.