SoftwareSecurity2013/Group 1/Custom Fortify Rules

Uit Werkplaats
Ga naar: navigatie, zoeken
Built-in methods known to Fortify
Built-in methods known to Fortify. As one can see, pun_htmlspecialchars is marked red while htmlspecialchars is marked green. However, the first is only a wrapper for the last.

Custom Fortify Rules

Fortify has support for working with PHP files. For a majority of the built-in methods, rules have been created to validate and scan the code. You can extend the set of rules to include rules about custom methods, resulting in less false positives during a scan. For future reference, this document will describe how to create new rules and reduce the number of false positives.

Step 1

Select a method in the right toolbar to generate a rule for it. Right click and select 'Generate Rule for Function'. You should see the dialog below where you can select a rule. In this case, we've selected 'Cross Site Script Validation Rule' for the pun_htmlspecialchars method. Click next.

Fortify Step1.png

Step 2

Since PHP isn't available, select Java. We've discovered this via the Code Scanning Command Line tool with the help switch. It outputs: Generic (Java, configuration, PHP, JavaScript, ASP/VBScript, VB6). Click next.

Fortify Step2.png

Step 3

Click next.

Fortify Step3.png

Step 4

In this case, the output of 'pun_htmlspecialchars' is safe, so select the return value. Click next.

Fortify Step4.png

Step 5

Select a file to save the new rule to and check 'Run a scan using this rulepack'. Click finish.

Fortify Step5.png

Step 6

A dialog will appear where you can initiate a new scan. A quick scan is enough to rescan all the current files.