HP Fortify-注释方法参数 [英] HP Fortify -- annotating method parameters

问题描述

我正在尝试从HP Fortify扫描Java应用程序中消除误报.

I'm trying to eliminate false-positives from an HP Fortify scan of a Java application.

此方法会导致隐私冲突"问题(PrintWriter是Servlet响应)

This method causes a "Privacy Violation" issue (the PrintWriter is a servlet response)

 private void writeOutput(String passwordRules, PrintWriter out) {
      ...
      out.print(passwordRules);
      ...
 }

这是因为Fortify遵循命名约定，以便确定 passwordRules 包含私有数据.但是我的 passwordRules 不是私有数据-它包含最少8个字符"之类的东西.

This is because Fortify follows naming conventions, to decide that passwordRules contains private data. But my passwordRules is not private data -- it contains stuff like "Minimum 8 characters".

我可以通过更改变量名称来消除错误.但是原则上，为了源代码分析器的利益，我不想损害代码的可读性.

I can make the error go away by changing the name of the variable. However in principle I don't want to compromise the readability of my code, for the benefit of a source code analyser.

我希望可以解决此问题:

I expected this to fix it:

 private void writeOutput(@FortifyNotPassword String passwordRules, PrintWriter out) ...

但是，似乎没有为该上下文编写注释:

However it seems the annotation isn't written for that context:

 The annotation @FortifyNotPassword is disallowed for this location.

我尝试过:

 private void writeOutput(String passwordRules, PrintWriter out) {
      ...
      @FortifyNotPassword String rules = passwordRules;
      out.print(rules);
      ...
 }

...但是这不会删除假阳性.(并且这损害了我的原则，即不使代码的可读性降低.)

... but this doesn't remove the false-positive. (And it compromises my principle of not making code less readable).

我也使用@FortifyNotPrivate尝试了上述方法，结果相同.

I've also tried the above with @FortifyNotPrivate, with the same results.

那么正确的方法是什么?

So what's the right way to do this?

推荐答案

Fortify提供了两种方法来处理这种情况:1)抑制问题，或2)隐藏问题.选择哪种取决于您认为最适合您的内容.

Fortify offers you two ways to deal with this situation: 1) suppress the issue, or 2) hide the issue. Which you select depends on what you believe will work best for you.

受抑制的问题.如果您确定特定漏洞不是(也永远不会)成为关注点，则可以将问题标记为已抑制".您可能还希望取消针对不是高度优先级或紧迫关注的特定类型问题的警告.例如，您可以禁止解决已解决的问题，或者不打算解决的问题(在您的情况下).被抑制的问题不包括在问题"面板中显示的组总计中.当您想完全消除对该问题的意识时，这种方法可能是最好的.

Suppressed issues. You can mark an issue as suppressed if you are sure that the specific vulnerability is not, and never will be, a concern. You might also want to suppress warnings for specific types of issues that might not be high priority or of immediate concern. For example, you can suppress issues that are fixed, or issues that - in your case - you do not plan to fix. Suppressed issues are not included in the group totals shown in the issues panel. This approach may be best when you want to eliminate awareness of the issue altogether.

隐藏的问题.您可以暂时隐藏一组问题，以避免在其他地方分散注意力.例如，您可以隐藏除分配给您的所有问题以外的所有问题.被分配来解决您在视图中隐藏的问题的个人仍然可以访问它们.问题面板中显示的组总计包括隐藏的问题.如果在文件夹列表中找到要隐藏或直接指向另一个文件夹的问题，则可以使用过滤器向导创建一个新的过滤器.筛选器向导将显示所有具有匹配条件的属性.文件HP_Fortify_Audit_Workbench_User_Guide_4.30的P 29；本文档与Fortify程序文件一起提供.如果您希望其他人意识到这些问题，即使您忽略它，也可以采用这种替代方法.

Hidden issues. You can hide a group of issues temporarily to avoid distraction as you focus elsewhere. For example, you could hide all issues except those assigned to you. The individuals assigned to address the issues you have hidden in your view can still access them. The group totals displayed in the issues panel include hidden issues. If you find an issue in a folder list that you want to hide or direct to another folder, you can create a new filter using the filter wizard. The filter wizard displays all the attributes with matching conditions for the filter. P 29 of the document HP_Fortify_Audit_Workbench_User_Guide_4.30; this documentation is with your Fortify program files. This alternative might be preferable if you want others to be aware of the issues, even as you ignore it.

已解决的问题.此替代方法与您的情况并不特别相关，但出于完整性考虑，我将其介绍给您.随着对项目的多次扫描随着时间的流逝，问题通常会得到解决或变得过时.在合并扫描结果时，静态代码分析器会将以前扫描中未发现但在最近的SCA分析结果中不再明显的问题标记为已删除".已删除的问题不包括在问题"面板中显示的组总计中.由于您不打算修复"此问题，因此它不会成为已删除的问题".

Removed issues. This alternative is not particularly relevant to your situation, but I present it for the sake of completeness. As multiple scans are run on a project over time, issues are often remediated or become obsolete. As it merges scan results, Static Code Analyzer marks issues that were uncovered in a previous scan, but are no longer evident in the most recent SCA analysis results as Removed. Removed issues are not included in the group totals shown in the issues panel. As you do not intend to "remediate" this issue, it will not become a "removed issue."

要显示或隐藏隐藏，隐藏和删除的问题，请使用选项"菜单.可见性过滤器显示或隐藏问题.

To show or hide suppressed, hidden, and removed issues, use the Option menu. Visibility filters show or hide issues.

这篇关于HP Fortify-注释方法参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！