This article will show you how to create a policy that marks a specific method to be treated as a validation; this results in NG SAST suppressing some of the findings that would otherwise appear.
We will use the shiftleft-java-example repo to demonstrate this process. We want to mark the
isAdmin method in
AdminController.java so that NG SAST treats it as a validation, suppressing some of NG SAST's findings.
Creating the policy
In the source code, look at the
AdminController.javafile and make a note of the following pieces of information:
- Package name
- Class name
- Method name
- Return type
- Parameter(s) accepted
Please note that you must express all types using the complete form (e.g., strings should be expressed as
java.lang.Stringand objects should be expressed as
java.lang.Object). You can express primitive types, such as
- IMPORT io.shiftleft/defaultIMPORT io.shiftleft/defaultdict### These methods are approved by AppSec ###### TAG "CHECK" METHOD - This prefix indicates that the method is an approved validation method### Pass the full name after -f using the below syntax### Package name . Class name . Method name : Return type ( Argument type )# Package name: io.shiftleft.controller# Class name: AdminController# Method name: isAdmin# Return type: boolean# Arguments: String (Expressed as java.lang.String in full form)TAG "CHECK" METHOD -f "io.shiftleft.controller.AdminController.isAdmin:boolean(java.lang.String)"
Validate, push, and assign your policy when invoking