Adding a rule

This task topic describes the procedure for adding a custom rule using the Custom Rules Wizard.

About this task

Note: Adding or removing security or scan coverage findings and changing severity affects the project's V-Density.

Procedure

  1. Open the wizard from the Custom Rules view by clicking the Launch Custom Rules Wizard button.
  2. In the Select Application, Project, and Files page, select the Application and Project that the rule will apply to. Be certain that the current application and project relate to the source code of the item you want to add to the Knowledgebase. Select the Configuration if one is available.
  3. In the Scope section, set the scope of the scan. Depending on the language that you are scanning, these are the scope options:
    Table 1. Project file options by language
    Language Project file options
    .NET
    • Scan the whole project for method signatures
    • Select one or more files external to the project

    A .NET project includes any valid assembly, typically a .dll or .exe file.

    Java
    • Scan the whole project for method signatures
    • Select one or more files in the project
    • Select one or more files external to the project

    A Java project includes .jar or .class files or a directory hierarchy of class files.

    C/C++
    • Scan the whole project for method signatures
    • Select one or more files in the project
    Visual Basic Scan FRM (forms) files, CLS (class) files, and BAS (basic)
    Classic ASP Scan ASP files only
    • Scan the whole project for method signatures is the default scan mode. This mode scans the entire project and returns all available signatures. This scan mode may be time consuming.
    • The Select one or more files in the project option isolates certain project files containing methods that might require custom rules.
    • The Select one or more files external to the project option identifies files external to this project to include in the scan.
  4. In the Caching section, select the check box to reread a modified project or modified code. The vulnerability analysis cache will also be cleared (if the current project is set to cache vulnerability analysis, the vulnerability analysis cache will be recreated in the next scan).
  5. String Analysis: String analysis monitors string manipulation in Java or Microsoft .NET projects. It provides the automatic detection of sanitizer and validator routines. With this detection, false positives and negatives can be reduced. Select the Enable String Analysis to find validator/sanitizer functions check box to enable string analysis. The Apply imported rules to Global Scope check box determines if the discovered sanitizer or validator routines should be applied to a single project or on a global level (to all projects).
    Note: The application of string analysis can slow a scan. It is therefore recommended that it should only be applied after code changes and then disabled for subsequent scans. In addition, the discovered routines should be viewed as suggestions and reviewed by auditors. These routines can be viewed in the Custom Rules view.
  6. Click Next to proceed to the next page in the wizard.
  7. In the Select Methods page:
    1. Select the method or methods to add to the Knowledgebase. The method is the name of the vulnerable API.

      The list of methods can be filtered in two ways:

      • Automatic filtering: Type the filter text in the Filter field. As you type, the filter is automatically applied to the list of methods. This is the default filter mode.
      • Manual filtering: Type the filter text in the Filter field and then click the Filter button (or press Enter) to apply the filter to the list. You may want to use manual filtering when large numbers of methods cause automatic filtering delays.

      In both cases, the asterisk (*) and question mark (?) characters can be used as wildcards. An asterisk matches any group of zero or more characters, while a question mark matches any single character.

      To change the filter mode, use the Filter button as a toggle by double-clicking it - or by using the keyboard to navigate to it and then pressing the space bar. When manual filtering is on, the Filter button appears not pressed and its hover help reads Apply filter (double-click or press space to filter automatically). When automatic filtering is on, the button appears pressed and its hover help reads Filter manually.

      To better view the list of methods, expand and collapse actions are available. To expand or collapse the entire tree, right-click and select Expand All or Collapse All. To expand a package or class and all of its subentries, right-click the package or class and select Expand Children.

      To select multiple methods, use the keyboard Ctrl or Shiftcommand or shift keys.

      Select the Show full signatures check box to display the fully-qualified signature of the methods in the tree. For example, the fully-qualified Java signature includes the package, class, method, argument types, and return types, such as com.test.vulnerable.VulnClass.vulnerable(java.lang.string;int):int.

    2. Identify if the scan should mark the method as one of these:
  8. If you are adding methods as Not Susceptible to Taint, Not a Validation/Encoding Routine, a Taint Propagator, or a Tainted Callback, click Finish to add the records to the AppScan® Source Security Knowledgebase.
  9. If you are adding methods as Source (of Taint) or Informational:
    1. Click Next to proceed to the Assign Rule Attributes page.
    2. For each method that you have added: Select one or more properties to assign to the method. The method's Type column will update to indicate the vulnerability type of the findings that will be produced by the custom rule.
      Tip: To add the same properties to multiple methods, multiselect the methods using the keyboard Ctrl or Shiftcommand or shift keys and then select the properties that you want to assign to the methods.
    3. Click Finish to add the records to the AppScan® Source Security Knowledgebase.
  10. If you are adding methods as Sink (Susceptible to Taint):
    1. Click Next to proceed to the Assign Rule Attributes page.
    2. For each method that you have added:
      • Select the Severity level of the vulnerability's impact: High, Medium, or Low.
      • Select the Vulnerability Type to apply to the method.
      Tip: To add the same properties to multiple methods, multiselect the methods using the keyboard Ctrl or Shiftcommand or shift keys and then select the properties that you want to assign to the methods.
    3. Click Finish to add the records to the AppScan® Source Security Knowledgebase.
  11. If you are adding methods as No-Trace Finding:
    1. Click Next to proceed to the Assign Rule Attributes page.
    2. For each method that you have added:
      • Select the Severity level of the vulnerability's impact: High, Medium, or Low.
      • Select the Classification to assign to the method: Definitive, Suspect, or Configuration.
      • Select the Vulnerability Type to apply to the method.
      Tip: To add the same properties to multiple methods, multiselect the methods using the keyboard Ctrl or Shiftcommand or shift keys and then select the properties that you want to assign to the methods.
    3. Click Finish to add the records to the AppScan® Source Security Knowledgebase.