How do I use Fortify Annotations In Java Code?

Question

I have a question regarding the names and syntax for using Fortify Code Annotations.

The short, short, really short version is: I am looking for a guide/manual that will list the available in-code annotations and provide an example for their intended use. Specifically for use in having a set of "SQL Injection" and "SQL Injection: Persistence" issues omitted from Fortify Scan results.

TL;DR; Details:

• Fortify Version: 19.1.0
• Platform: Java 8; Web App (Weblogic 12.2.1.4.0 (12c)); Redhat Unix
• Fortify Issue: SQL Injection (WASC-19)
• Additional Information: The code exists as part of a web application.

The "suspect" input String arrives from the client and then becomes part of a DDL Statement ("ALTER SESSION ...") This "cannot be changed" and DDL statements cannot be parameterized .

Sanitizing the input String is ridiculously easy. The (7 character) String is fed through a Regex parser: Pattern.compile(HARDCODED_REGEX_CONSTANT).matcher(suspectString);

Using an annotated method declaration that sends the input though a regex parser has also been part of the validation e.g. @Pattern(regexp=HARDCODED_REGEX_CONSTANT)

Neither of these 2 approaches are sufficient for Fortify.

Additionally, the suspect input String is also validated against known and valid values (the values are pulled from the database, so Fortify also finds that those values are also "suspect").

Of course, none of these are satisfactory for the Fortify Scan.

Creating and storing a custom rule that is external to the code and applied to the scan results is "not going to work" because of "reasons". [I cannot adequately or briefly explain why this simple solution has been rejected.] Suffice it to say, creating a set of "False Positives" to import prior to a Fortify Scan; is "not an option" nor is marking "known issues" as "Not an Issue".

Placing an "Ignore this" comment in the code does not satisfy the goal state either. The end evaluation is that the issue remains in the scan results, it is critical, and therefore MUST be resolved.

Restating the request: I would like to place an annotation (or other in-code construct) (e.g. @FortifyValidate, @Fortify?????, etc.) at the points at which a problem is flagged by the Fortify scan.

I cannot find an adequate guide/manual online that will list the available in-code annotations and provide an example for their intended use. Specifically for use in having a set of "SQL Injection" and "SQL Injection: Persistence" issues omitted from Fortify Scan results.

Thank you

Answer 1

Answering my own question as best I can.

The answer that I arrived at was the use of Fortify Annotations. This is not, however, the preferred means by which Fortify issues "should be" resolved. The preferred means of identification, mitigation, and resolution is through the Audit Workbench and Fortify Software Security Center that is integrated into supported Testing and QA processes. Micro Focus provides an overview of how this process can be modeled. https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/1810/AWB_Guide_18.10.pdf

That type of development environment is not available to me.

So, on to the hack:

The only documentation that I found online was: https://community.microfocus.com/t5/Fortify-User-Discussions/Using-Fortify-Java-Annotations/td-p/1500577 It has a few misspellings, but is accurate and useful for integrating the Fortify Annotations library into an existing maven project and then placing the annotations into the code.

Items of note: The page is from 2014 and the Fortify version that is referenced is 4.00. Make sure to use your current Fortify version. Secondly, there are 2 jar files in Fortify 19.1.0 that contain the annotation definitions. They are FortifyAnnotations-CLASS.jar and FortifyAnnotations-SOURCE.jar. I chose to rename the -CLASS.jar and use it instead of cluttering up the build process.

Once imported, or added to the classpath; it is a simple matter to use the annotations to remove specific "taints" @FortifyXSSValidate or generalized blanket validation @FortifyValidate.

When custom code is used to ensure validity, it is very useful to use @FortifyValidate("return") annotations.

I recommend using an annotation that is as concise as possible for preventing Fortify from flagging mitigated issues. I would also recommend placing some inline notes or documentation that thoroughly describes why an Annotation has been placed and exactly what makes its placement a viable solution.