Adding a rule
This task topic describes the procedure for adding a custom rule using the Custom Rules Wizard.
About this task
Note: Adding or removing security or scan coverage findings
and changing severity affects the project's V-Density.
Procedure
- Open the wizard from the Custom Rules view by clicking the Launch Custom Rules Wizard button.
- In the Select Application, Project, and Files page, select the Application and Project that the rule will apply to. Be certain that the current application and project relate to the source code of the item you want to add to the Knowledgebase. Select the Configuration if one is available.
- In the Scope section, set the scope
of the scan. Depending on the language that you are scanning, these
are the scope options:
Table 1. Project file options by language Language Project file options .NET - Scan the whole project for method signatures
- Select one or more files external to the project
A .NET project includes any valid assembly, typically a .dll or .exe file.
Java™ - Scan the whole project for method signatures
- Select one or more files in the project
- Select one or more files external to the project
A Java™ project includes .jar or .class files or a directory hierarchy of class files.
C/C++ - Scan the whole project for method signatures
- Select one or more files in the project
Visual Basic Scan FRM
(forms) files,CLS
(class) files, andBAS
(basic)Classic ASP Scan ASP files only - Scan the whole project for method signatures is the default scan mode. This mode scans the entire project and returns all available signatures. This scan mode may be time consuming.
- The Select one or more files in the project option isolates certain project files containing methods that might require custom rules.
- The Select one or more files external to the project option identifies files external to this project to include in the scan.
- In the Caching section, select the check box to reread a modified project or modified code. The vulnerability analysis cache will also be cleared (if the current project is set to cache vulnerability analysis, the vulnerability analysis cache will be recreated in the next scan).
- String Analysis: String analysis
monitors string manipulation in Java™ or Microsoft™ .NET projects.
It provides the automatic detection of sanitizer and validator routines.
With this detection, false positives and negatives can be reduced.
Select the Enable String Analysis to find validator/sanitizer
functions check box to enable string analysis. The Apply
imported rules to Global Scope check box determines if
the discovered sanitizer or validator routines should be applied to
a single project or on a global level (to all projects).Note: The application of string analysis can slow a scan. It is therefore recommended that it should only be applied after code changes and then disabled for subsequent scans. In addition, the discovered routines should be viewed as suggestions and reviewed by auditors. These routines can be viewed in the Custom Rules view.
- Click Next to proceed to the next page in the wizard.
- In the Select Methods page:
- If you are adding methods as Not Susceptible to Taint, Not a Validation/Encoding Routine, a Taint Propagator, or a Tainted Callback, click Finish to add the records to the AppScan® Source Security Knowledgebase.
- If you are adding methods as Source (of Taint) or Informational:
- If you are adding methods as Sink (Susceptible to Taint):
- If you are adding methods as No-Trace Finding: