Exclude Vulnerabilities with Sanitization Functions

This article will show you how to create a policy that instructs NG SAST to ignore vulnerabilities that have a sanitization function in the dataflow when analyzing your application. Developers often use sanitization functions in their application's source code to sanitize user input. This protects against common attacks, such as SQL Injection attacks.

Step 1: Create a New Policy File

For this tutorial, we will scaffold off the default policy:

sl policy create default <filepath>

Specify (and make a note of) the filepath you would like the policy to be saved once created.

Step 2: Edit the Policy Definition

Open your newly created policy file using a text editor. Add the following directives to your policy file:

IMPORT io.shiftleft/default
IMPORT io.shiftleft/defaultdict
TAG "CHECK" METHOD -f "javax.servlet.http.HttpServletRequest.setAttribute:void(java.lang.String,java.lang.Object)"

Note that setAttribute is the actual method signature of the sanitization function.

The final line of the example shown above instructs NG SAST to add a check tag to all data flows that contain a function matching the method signature defined with the -f option.

Step 3: Validate the New Policy

After you write new policy definitions or editing the existing definitions, you must validate your new policy to make sure that there are no errors. To do so, run:

sl policy validate <filepath>

This command returns a non-zero exit status code if there is a problem with either the syntax or the semantics of your policy.

Step 4: Upload the Policy to the ShiftLeft Repository

NG SAST can only use a custom policy if it is located in the ShiftLeft repository. To upload your policy, run:

sl policy push <policyLabel> <filepath>

Be sure to replace <policyLabel> with the desired name for your policy.

If you successfully upload your policy, ShiftLeft returns to the CLI your Org ID policy and tag:

<OrgId>/policyLabel>:<policyTag>

<policyTag> is the tag ShiftLeft assigned to the policy by default.

You can check for this policy in the repository by using the info command, which lists all policies uploaded with the specified label that is available to you:

sl policy info <OrgId>/<policyLabel>:<policyTag>

Step 5: Assign the New Policy

Assigning the policy to your application ensures that NG SAST uses it the next time it analyzes the app's code:

sl analyze --policy <policyLabel> --app <name>

At this point, you are ready to proceed with your next code analysis.