Supported .NET source code attributes

When using static analysis to scan .NET, [ValidatorMethod], [CallbackMethod], and [SuppressSecurityTrace] method-level attributes are supported. When these attributes are used, [ValidatorMethod()], [CallbackMethod()], and [SuppressSecurityTrace()] are also accepted.

Using attributes

Attributes can be used by following these steps:

  1. Support for attributes is enabled by default. The attribute SecurityAttributes.dll file is located in the \annotation directory of the extracted SAClientUtil_<version>_<os>.zip file.
  2. If you are scanning precompiled classes, .exe files, or .dll files, add SecurityAttributes.dll to the .NET project that contains the annotated sources and then rebuild the project.
  3. If you are scanning in an integrated development environment (IDE) that has the static analysis plug-in installed, add SecurityAttributes.dll as a reference.
  4. If you are using the static analysis CLI, create a configuration file and, in it, set CustomBuildInfo additional_classpath="dependency_path" so that dependency_path includes the location of the SecurityAttributes.dll file.

Attributes can be added to source code before scanning - or they can be added after scanning and during triage to identify and eliminate false-positives. If you are scanning in an IDE that has the static analysis plug-in installed, a Help Me Fix This button is available in the scan report. When you select this button, you are shown possible points where attributes can be added.

Attributes are provided to allow you to insert your knowledge directly into source code in the form of security attributes. Since attributes may be used to declare portions of code safe, they should be used very carefully. They should not be used for code that should be scanned for security vulnerabilities. If you use attributes, a security analyst can choose to ignore them by disabling the feature in the irgen-engine.apsettings file located in the \config directory of the extracted SAClientUtil_<version>_<os>.zip file. In this file, locate this setting:

<Setting 
  name="process_security_annotations"
  value="true"
  default_value="true"
  description="When turned on, method annotations will be processed - used by DotNet and Java LSPs"
  display_name="Process Security Annotations"
  type="bool"
/>

To disable the feature, change value="true" to value="false".

Note: If the setting is set to value="false", set this to value="true" if you want to use annotations.

[ValidatorMethod] or [ValidatorMethod()]

Validators are methods that perform checks on input data and often return a boolean value that indicates if the input is valid or not. Rather than accept or reject input using validators, you can change the user input to an acceptable format. These methods are called sanitizers.

Using the [ValidatorMethod] attribute, you can identify all validator and sanitizer methods in the application source code. During static analysis scans, this information will be used to remove data flows that pass through these methods since the data is now considered safe.

Note: Currently, there is no provision to specify which parameters of the annotated method should be considered as validated. During static analysis scans, all input parameters will be assumed to be validated.

[SuppressSecurityTrace] or [SuppressSecurityTrace()]

All traces that flow through a method marked with this attribute are removed. This is useful when a certain group of traces are identified as false-positives or less important or interesting than the others. You can use this attribute to filter out these traces or to hide them for the purpose of reducing clutter.

[CallbackMethod] or [CallbackMethod()]

This attribute is used to identify callbacks or entry points to an application. All arguments are considered to be carrying taint.