Example 2: Creating a Validation/Encoding Routine from the Trace view

About this task

Since AppScan® Source trace identifies the FileInputStream.read method as a source producing tainted data, you should create a validation or encoding routine to eliminate this finding from future scans.

To create an input validation routine for FileInputStream.read:

Procedure

  1. In the Trace view call graph, select and right-click the TestCase_IOT_Instance_Val_Encode.encode method.
    Tip: If the validation/encoding routine that you want to create does not appear in the trace graph, you can create the routine by launching the Custom Rules Wizard from the Trace view. Example 2: Creating a Validation/Encoding Routine from the Custom Rules Wizard explains the steps involved in doing this.
  2. Select Mark as a Validation/Encoding routine in the menu.
    Mark as a Validation/Encoding routine menu item
  3. If the encode routine only applies for this specific instance of calling FileInputStream.read, select this call to java.io.FileInputStream.read in the Specify how to apply this validation routine dialog box.
    Specify how to apply this validation routine

    Typically, you would specify this call to java.io.FileInputStream.read because the validate method is private to the class and tightly associated with the code.

    Select any call to java.io.FileInputStream.read to apply the validation routine for any call to the read method. When selecting this option, also select Apply to this project if this is only valid for the current project or Apply to all projects.

  4. Set up the routine to apply to all read methods of the FileInputStream class and to any sink with a property of Technology.IO (such as the java.io.PrintWrite.write methods):
    1. Adding the read methods as sources: Although you could specify any call to java.io.FileInputStream.read(byte[]):int to add java.io.FileInputStream.read(byte[]):int as a source, we will instead add the sources individually. In the Specify how to apply this validation routine dialog box, select java.io.FileInputStream.read(byte[]):int not considered, all constraints specified below in the Apply to menu. Then click the Sources section Add button. In the Choose Signatures dialog box, expand the java.io and then FileInputStream sections. Multiselect the java.io.FileInputStream.read* nodes and then click OK.

      Choose Signatures dialog box
      Note: The number of signature nodes listed depends on your applications usage. Select all you wish to apply.
    2. Adding the sink property: Click the Sink Properties section Add a VMAT property button. In the Choose Properties dialog box, select the Technology.IO property and then click OK.
    3. When all settings are complete, the dialog box should look similar to this:

      Completed Specify how to apply this validation routine dialog box
  5. Click OK to save and share the validation routine.