Using the Custom Rules wizard

The Custom Rules Wizard helps you add methods to the AppScan® Source Security Knowledgebase. The scope of most custom rules is global (applies to all projects). Custom no-trace findings, sources, sinks, and taint propagators are always global. Custom validation/encoding routines are not global.

Note: The Custom Rules Wizard does not validate your selections. For example, you may define a custom rule that identifies a method as a taint propagator and a sink, which is not a valid scenario.

The Custom Rules Wizard guides you through the process of defining and adding the following items to the Knowledgebase:

  • Sinks and sources
  • Taint propagators
  • Application programming interfaces (API) that are not susceptible to taint
  • Vulnerabilities
  • API that produce findings without trace
  • API that are not validation/encoding routines
  • Tainted callbacks
  • Informational findings

Source (of Taint)

A method that provides input to a program, which might be malformed or malicious.

Sink (Susceptible to Taint)

An API that sends data out of the program (or out of the visible portion of the program) to a file, the network, a database, other library, or device that might be susceptible to malicious input.

Taint Propagator

Marking a method as a taint propagator implies that if any arguments to the API are derived from unvalidated input data (tainted data), then after the call, non-constant data referenced by the other arguments, as well as the return value, are also potentially tainted. Such data must be validated or encoded before being sent to a sink. This situation usually occurs because data from the tainted argument is copied or appended to the other arguments or returned.

Not Susceptible to Taint

Marking an API as not susceptible to taint (not a taint propagator), implies that calling the API with an argument derived from unvalidated input data (tainted data) does not cause the API to behave unsafely or maliciously.

If tainted data reaches a call, and the call is marked not susceptible to taint, AppScan® Source ignores the call as far as tracing is concerned. AppScan® Source trace does not report a lost trace and does not treat the propagated data as tainted.

Note: If tainted data reaches a method that is not a validation or encoding routine, a sink, a taint propagator, or not susceptible to taint, the method is reported as a lost trace. Non-constant arguments and return values may or may not be tainted. The AppScan® Source trace call graph displays a lost trace.

No-Trace Finding

A method or API that always appears as a finding, but does not produce a trace.

Not a Validation/Encoding Routine

Marking an API as Not a Validation/Encoding Routine identifies that this API does not validate any data.

Tainted Callback

A callback is a routine in your code that is typically invoked by other code (for example from within a lower-level framework). The callback is passed as an argument to the other code, and it can be invoked at a later time with possibly tainted arguments. If you suspect that a callback could have tainted data passed to its arguments, you can mark it as a tainted callback. This causes the flow of tainted data through the routine to be visible.

A routine marked as a tainted callback will be analyzed as though it is at the root of the call graph (in other words, called by some unknown external caller) with all of its input arguments considered to be tainted. As a result, AppScan® Source will report findings with traces which begin at the arguments to the tainted callback.

If the same routine is called in other contexts by your application code, it will be treated without any special considerations for taint. In those contexts, the usual analysis will take place.

Informational

Lines of code identified as informational findings may not be vulnerable but should be included in a security audit.