Validation and encoding scope
From the Trace view, you can specify custom validation and encoding routines that, once stored in the AppScan® Source Security Knowledgebase, marks data as checked instead of tainted. With the Custom Rules Wizard, you define these routines based on their scope.
See Example 4: Validation in depth for the procedure to create validation and encoding routines.
Validation or encoding routines are based upon their scope and are defined as:
API specific
API specific validation and encoding routines may be associated with a single project or multiple projects.
API specific routines will untaint any data coming from all instances of a specific source API. For example, you could specify a validation routine for any input from the API:
javax.servlet.ServletRequest.getParameter
(java.lang.string):java.lang.string
API specific routines are stored on the server. API specific routines for a project are stored in the project.
Call site specific
Call site specific routines are always associated with a single project.
Call site specific routines will untaint data coming from a specific location in the code. When you create a call site specific validation or encoding routine, you specify that the routine applies to a particular input call site. Call site specific routines are always stored in the project.