0

I am running Fortify (2.6.5) on a few very large projects, but it is failing to flag a few key issues, which it really must. It seems as if Fortify does some pattern matching for variables named something like 'password', to then perform dataflow analysis. This is great, and helps ensure that privacy violations do not occur with such sensitive data, such as writing them to a logger (in debug).

This is all well and good, but we have cases of passwords being passed into the system through other variable names such as 'credential', as well as other confidential information that needs to be treated with the same level of strictness in handling, as Fortify does with variables containing the string 'password'!

Is there some easy way of adding to / configuring such a list of keywords so that Fortify acts upon them as it does 'password'?

4

2 回答 2

1

“简单”取决于您对自定义规则的舒适程度。您绝对可以使用 CharacterizationRule 将 +PRIVATE 污点标志(与隐私违规规则相关联的污点)添加到名为“凭据”的变量中。

这是您开始使用的结构匹配规则的一个小示例片段:

            VariableAccess va: va.variable.name matches "(?i).*credential.*" and
                               not va in [AssignmentStatement: lhs.location is va]
                               and
                               ( va.variable.type.name == "java.lang.String" or
                                 va.variable.type.name == "java.lang.StringBuffer" or
                                 va.variable.type.name matches "byte.*" or
                                 va.variable.type.name matches "char.*")
于 2012-02-24T19:57:50.737 回答
0

使用 AWB 自定义规则向导可以更轻松地执行此操作。从规则类型列表中,选择“Characterization Rule”,然后选择“Characterization for private source”。

您的变量“凭据”将成为秘密或私人数据的来源。只需按照向导操作,它就会使用您指定的正则表达式创建一个规则。该表达式区分大小写,并遵循 Java 正则表达式方言:http ://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html

于 2012-03-31T11:10:19.790 回答