0

I am running Fortify (2.6.5) on a few very large projects, but it is failing to flag a few key issues, which it really must. It seems as if Fortify does some pattern matching for variables named something like 'password', to then perform dataflow analysis. This is great, and helps ensure that privacy violations do not occur with such sensitive data, such as writing them to a logger (in debug).

This is all well and good, but we have cases of passwords being passed into the system through other variable names such as 'credential', as well as other confidential information that needs to be treated with the same level of strictness in handling, as Fortify does with variables containing the string 'password'!

Is there some easy way of adding to / configuring such a list of keywords so that Fortify acts upon them as it does 'password'?

4

2 に答える 2

1

"Easy" depends on your comfort level with custom rules. You can definitely add a +PRIVATE taint flag (the taint associated with Privacy Violation rules) to variables named "credential" with a CharacterizationRule.

Here's a small example snippet of the structural match rule you'll need to get you started:

            VariableAccess va: va.variable.name matches "(?i).*credential.*" and
                               not va in [AssignmentStatement: lhs.location is va]
                               and
                               ( va.variable.type.name == "java.lang.String" or
                                 va.variable.type.name == "java.lang.StringBuffer" or
                                 va.variable.type.name matches "byte.*" or
                                 va.variable.type.name matches "char.*")
于 2012-02-24T19:57:50.737 に答える
0

There is an easier way to do this with the AWB custom rules wizard. From the rules type list, choose "Characterization Rule" and then "Characterization for private source".

Your variable "credential" is going to be a source of secret or private data. Just follow the wizard and it creates a rule with the regular expression you specify. The expression is case sensitive and it follows the Java regular expressions dialect: http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html

于 2012-03-31T11:10:19.790 に答える