I was trying to write a fortify rule which just checks for a function and flags it when the function comes up. I created a java file with the following code:
class t {
public static void main(String[] args) {
System.out.println("test");
}
}
class DialogError {
int getErrorCode() {
return 10;
}}
The intention of the fortify rule I wrote is to detect any occurrence of getErrorCode inside DialogError and flag the same.
<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF</RulePackID>
<Name><![CDATA[my test ruleset]]></Name>
<Version>1.0</Version>
<Description><![CDATA[Rule to identify an instance of getErrorCode]]></Description>
<Rules version="3.10">
<RuleDefinitions>
<SemanticRule formatVersion="3.10" language="java">
<MetaInfo>
<Group name="Accuracy">5.0</Group>
<Group name="Impact">5.0</Group>
<Group name="RemediationEffort">5.0</Group>
<Group name="Probability">5.0</Group>
</MetaInfo>
<Label>label lololololol</Label>
<RuleID>01239X14-ASDF-41AA-BDFA-DF134asdf79A</RuleID>
<Notes><![CDATA[Checks if DialogError class if found yo]]></Notes>
<VulnKingdom>Security Features</VulnKingdom>
<VulnCategory>Function is evil</VulnCategory>
<VulnSubcategory>Some ol category</VulnSubcategory>
<DefaultSeverity>3.0</DefaultSeverity>
<Description formatVersion="3.2">
<Abstract><![CDATA[YO FIRING YO]]></Abstract>
<Explanation><![CDATA[YOYOYOYOYO]]></Explanation>
<Recommendations><![CDATA[YOYOYOYOY]]></Recommendations>
<References>
<Reference>
<Title><![CDATA[YO]]></Title>
<Source><![CDATA[YOYOYOYOYOYO]]></Source>
</Reference>
</References>
</Description>
<Type>default</Type>
<FunctionIdentifier>
<ClassName>
<Value>DialogError</Value>
</ClassName>
<FunctionName>
<Value>getErrorCode</Value>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
</SemanticRule>
</RuleDefinitions>
</Rules>
</RulePack>
What am I doing wrong?
First, your test code never calls the bad function. Here's the corrected code.
class t {
public static void main(String[] args) {
System.out.println(DialogError.getErrorCode());
}
}
class DialogError {
int getErrorCode() {
return 10;
}}
Second, the SKU tag is missing from the Rules definition. The Custom Rules editor will show incorrect XML in the XML view window.
<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF</RulePackID>
<SKU>SKU-8F66A5A4-CFDA-419B-97D8-4BF26B78EED9</SKU>
<Name><![CDATA[my test ruleset]]></Name>
<Version>1.0</Version>
<Description><![CDATA[Rule to identify an instance of getErrorCode]]></Description>
<Rules version="3.10">
<RuleDefinitions>
<SemanticRule formatVersion="3.10" language="java">
<MetaInfo>
<Group name="Accuracy">5.0</Group>
<Group name="Impact">5.0</Group>
<Group name="RemediationEffort">5.0</Group>
<Group name="Probability">5.0</Group>
</MetaInfo>
<Label>label lololololol</Label>
<RuleID>01239X14-ASDF-41AA-BDFA-DF134asdf79A</RuleID>
<Notes><![CDATA[Checks if DialogError class if found yo]]></Notes>
<VulnKingdom>Security Features</VulnKingdom>
<VulnCategory>Function is evil</VulnCategory>
<VulnSubcategory>Some ol category</VulnSubcategory>
<DefaultSeverity>3.0</DefaultSeverity>
<Description formatVersion="3.2">
<Abstract><![CDATA[YO FIRING YO]]></Abstract>
<Explanation><![CDATA[YOYOYOYOYO]]></Explanation>
<Recommendations><![CDATA[YOYOYOYOY]]></Recommendations>
<References>
<Reference>
<Title><![CDATA[YO]]></Title>
<Source><![CDATA[YOYOYOYOYOYO]]></Source>
</Reference>
</References>
</Description>
<Type>default</Type>
<FunctionIdentifier>
<ClassName>
<Value>DialogError</Value>
</ClassName>
<FunctionName>
<Value>getErrorCode</Value>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
</SemanticRule>
</RuleDefinitions>
</Rules>
</RulePack>