Validation and encoding scope

From the Trace view, you can specify custom validation and encoding routines that, once stored in the AppScan® Source Security Knowledgebase, marks data as checked instead of tainted. With the Custom Rules Wizard, you define these routines based on their scope.

See Example 4: Validation in depth for the procedure to create validation and encoding routines.

Validation or encoding routines are based upon their scope and are defined as:

API specific
Call site specific

API specific

API specific validation and encoding routines may be associated with a single project or multiple projects.

API specific routines will untaint any data coming from all instances of a specific source API. For example, you could specify a validation routine for any input from the API:

javax.servlet.ServletRequest.getParameter
(java.lang.string):java.lang.string

API specific routines are stored on the server. API specific routines for a project are stored in the project.

Call site specific

Call site specific routines are always associated with a single project.

Call site specific routines will untaint data coming from a specific location in the code. When you create a call site specific validation or encoding routine, you specify that the routine applies to a particular input call site. Call site specific routines are always stored in the project.

Note: Call site specific applies to any call to the validation routine within the same method.